prosim o kontrolu logu z combofix
Napsal: 15 lis 2010 19:31
Zdravim prosim o kontrolu logu z combofix nainstaloval som avast 5 nejde mi internet cez webovy priehladač a pri nabehnuti windovsu mi da že našiel sa vyrus emulator kms.
Mam tam bordel?
Dakujem.....
ComboFix 10-11-14.04 - PC 15.11.2010 19:11:23.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.3071.2550 [GMT 1:00]
Running from: c:\documents and settings\PC\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\driver
c:\windows\system32\system
c:\windows\system32\system\msvcr80.dll
c:\windows\system32\system\msvcr80d.dll
.
((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
.
2010-11-15 17:09 . 2010-11-15 17:09 77824 ------w- c:\windows\KMSEmulator.exe
2010-11-15 16:21 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-15 16:21 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-15 16:21 . 2010-09-07 15:53 340048 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-11-15 16:21 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-15 16:21 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-15 16:20 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-15 16:20 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-15 16:20 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-15 16:20 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-15 16:20 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-15 16:20 . 2010-11-15 16:20 -------- d-----w- c:\program files\Alwil Software
2010-11-15 15:24 . 2010-09-07 15:54 99792 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-11-15 15:24 . 2010-09-07 15:53 190416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-11-15 15:24 . 2010-11-15 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-11-14 10:03 . 2010-11-14 10:03 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\GHISLER
2010-11-14 09:14 . 2010-11-14 09:16 -------- d-----w- c:\documents and settings\PC\Application Data\GHISLER
2010-11-14 09:14 . 2010-11-14 09:15 -------- d-----w- C:\totalcmd
2010-11-09 22:09 . 2010-11-09 22:09 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Real
2010-11-09 22:09 . 2009-04-02 14:21 84480 ----a-w- c:\windows\system32\ff_vfw.dll
2010-11-09 22:09 . 2008-06-08 22:58 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-11-09 22:09 . 2010-11-09 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-11-09 22:09 . 2009-01-05 15:18 90112 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-09 22:09 . 2009-01-05 15:18 57344 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-09 22:08 . 2010-11-09 22:08 -------- d-----w- c:\program files\Common Files\Magic Video Converter
2010-11-09 22:08 . 2005-10-28 08:44 308224 ----a-w- c:\windows\system32\avisynth.dll
2010-11-09 22:08 . 2004-02-22 00:11 719872 ----a-w- c:\windows\system32\devil.dll
2010-11-09 22:08 . 2010-11-09 22:32 -------- d-----w- c:\program files\Magic Video Converter
2010-11-08 21:13 . 2010-11-08 21:13 614400 ----a-w- c:\windows\AutoKMS.exe
2010-11-08 20:11 . 2010-11-08 20:11 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Microsoft Help
2010-11-08 20:11 . 2010-11-08 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-11-08 19:58 . 2010-11-08 19:58 -------- d-----w- c:\program files\Microsoft.NET
2010-11-08 19:58 . 2010-11-08 19:58 -------- d-----w- c:\documents and settings\All Users\Microsoft
2010-11-08 19:56 . 2010-11-08 19:56 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-11-08 19:56 . 2010-11-08 19:56 -------- d-----w- c:\windows\SHELLNEW
2010-11-08 19:55 . 2010-11-08 19:55 -------- d-----r- C:\MSOCache
2010-11-08 19:49 . 2008-04-14 04:41 33792 -c----w- c:\windows\system32\dllcache\custsat.dll
2010-11-08 19:48 . 2008-04-13 23:10 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2010-11-08 19:48 . 2006-12-28 23:31 19569 ----a-w- c:\windows\005390_.tmp
2010-11-03 15:22 . 2010-11-03 15:22 -------- d-----w- c:\program files\Zoner
2010-11-01 21:56 . 2010-11-01 22:31 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\ACD Systems
2010-11-01 21:56 . 2010-11-01 21:56 -------- d-----w- c:\documents and settings\PC\Application Data\ACD Systems
2010-11-01 21:54 . 2010-11-01 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2010-11-01 21:54 . 2010-11-01 21:54 -------- d-----w- c:\program files\Common Files\ACD Systems
2010-11-01 21:54 . 2010-11-01 21:54 -------- d-----w- c:\program files\ACD Systems
2010-11-01 21:53 . 2010-11-01 21:53 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Downloaded Installations
2010-11-01 18:59 . 2010-11-01 19:00 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-11-01 18:59 . 2010-11-12 18:40 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-11-01 18:59 . 2010-11-12 18:40 183112 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-01 18:49 . 2010-11-01 18:49 -------- d--h--r- c:\documents and settings\PC\Application Data\SecuROM
2010-11-01 18:49 . 2010-11-01 18:49 -------- d-----w- c:\documents and settings\PC\Application Data\Leadertech
2010-11-01 18:07 . 2010-11-01 18:13 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-11-01 18:07 . 2010-11-01 18:07 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-01 18:07 . 2010-11-01 18:08 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-11-01 18:04 . 2010-11-01 18:41 -------- d-----w- c:\documents and settings\PC\Application Data\DAEMON Tools Lite
2010-11-01 18:03 . 2010-11-01 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-10-31 20:31 . 2010-10-31 20:31 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Identities
2010-10-31 12:07 . 2010-10-31 12:07 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Cyberlink
2010-10-31 12:07 . 2010-10-31 12:07 -------- d-----w- c:\documents and settings\PC\Application Data\CyberLink
2010-10-31 12:06 . 2010-10-31 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-10-31 12:06 . 2010-10-31 12:05 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-10-31 12:06 . 2010-10-31 12:06 -------- d-----w- c:\program files\Common Files\CyberLink
2010-10-31 12:05 . 2010-10-31 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-10-28 14:22 . 2010-11-03 15:23 -------- d-----w- c:\documents and settings\PC\Application Data\Zoner
2010-10-28 14:22 . 2010-10-28 14:22 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Zoner
2010-10-26 21:28 . 2010-11-13 21:25 -------- d-----w- c:\program files\ICQ6.5
2010-10-25 14:37 . 2010-10-25 16:58 -------- d-----w- c:\documents and settings\PC\Application Data\BSplayer PRO
2010-10-25 14:37 . 2010-10-25 14:37 -------- d-----w- c:\program files\Webteh
2010-10-24 21:36 . 2009-09-04 15:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-10-24 21:36 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-10-24 21:36 . 2010-10-24 21:36 -------- d-----w- c:\windows\Logs
2010-10-24 21:36 . 2010-10-24 21:36 -------- d-----w- c:\program files\Winamp Detect
2010-10-24 21:10 . 2008-04-14 04:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-24 09:29 . 2010-10-24 09:29 -------- d-----w- c:\program files\Common Files\Java
2010-10-23 18:33 . 2010-09-15 02:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-23 18:33 . 2010-09-15 00:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-23 18:32 . 2010-10-24 09:29 -------- d-----w- c:\program files\Java
2010-10-23 18:32 . 2010-11-11 16:26 -------- d-----w- c:\program files\JDownloader
2010-10-22 21:00 . 2010-10-22 21:00 -------- d-----w- c:\documents and settings\PC\Application Data\Malwarebytes
2010-10-22 20:59 . 2010-04-29 10:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-22 20:59 . 2010-10-22 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-22 20:59 . 2010-10-22 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-22 20:59 . 2010-04-29 10:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-22 20:56 . 2010-10-22 20:56 -------- d-----w- c:\documents and settings\PC\Application Data\Talkback
2010-10-22 20:45 . 2010-10-22 20:45 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Mozilla
2010-10-22 20:42 . 2010-11-15 14:11 -------- d-----w- c:\documents and settings\PC\Application Data\skypePM
2010-10-22 20:36 . 2010-11-15 18:09 -------- d-----w- c:\documents and settings\PC\Application Data\Skype
2010-10-22 20:36 . 2010-10-22 20:36 -------- d-----w- c:\program files\Skype
2010-10-22 20:36 . 2010-10-22 20:36 -------- d-----w- c:\program files\Common Files\Skype
2010-10-22 20:36 . 2010-10-22 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-10-22 20:35 . 2010-10-27 10:00 -------- d-----w- c:\program files\ICQ6Toolbar
2010-10-22 20:35 . 2010-10-26 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ICQ
2010-10-22 20:35 . 2010-11-15 17:08 -------- d-----w- c:\documents and settings\PC\Application Data\ICQ
2010-10-22 20:15 . 2010-10-22 20:15 15872 ----a-r- c:\documents and settings\PC\Application Data\Microsoft\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C9.exe
2010-10-22 20:15 . 2010-10-22 20:15 -------- d-----w- c:\program files\Valve
2010-10-22 16:14 . 2008-04-14 04:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-10-22 16:14 . 2008-04-13 23:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-22 16:13 . 2008-04-13 23:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-10-22 10:42 . 2010-10-22 10:42 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\ATI
2010-10-22 10:42 . 2010-10-22 10:42 -------- d-----w- c:\documents and settings\PC\Application Data\ATI
2010-10-22 10:42 . 2010-10-22 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-10-22 10:19 . 2010-10-22 10:19 -------- d-----w- C:\ATI
2010-10-22 09:54 . 2010-10-22 09:54 -------- d-s---w- c:\documents and settings\PC\UserData
2010-10-22 09:50 . 2010-10-22 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2010-10-22 09:49 . 2010-11-01 18:46 -------- d-----w- c:\windows\system32\LogFiles
2010-10-21 20:48 . 2010-10-22 18:12 -------- d-----w- C:\Boot
2010-10-21 10:32 . 2001-08-17 11:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-10-21 10:32 . 2001-08-17 11:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-10-21 10:32 . 2008-04-13 23:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-31 12:05 . 2007-03-28 12:13 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-31 12:05 . 2007-03-28 12:13 353576 ----a-w- c:\windows\system32\msvcr71.dll
2010-08-26 03:33 . 2007-03-28 11:55 5386752 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-08-26 01:56 . 2007-03-28 11:55 300544 ----a-w- c:\windows\system32\ati2dvag.dll
2010-08-26 01:52 . 2007-03-28 11:55 3927936 ----a-w- c:\windows\system32\ati3duag.dll
2010-08-26 01:37 . 2007-03-28 11:55 2603520 ----a-w- c:\windows\system32\ativvaxx.dll
2010-08-26 01:23 . 2007-03-28 11:55 688128 ----a-w- c:\windows\system32\ati2cqag.dll
2004-03-11 11:27 . 2007-03-28 12:19 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2008-12-18 00:48 . 2010-10-23 17:49 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-18 00:48 . 2010-10-23 17:49 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-18 00:48 . 2010-10-23 17:49 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-18 00:48 . 2010-10-23 17:49 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-18 00:48 . 2010-10-23 17:49 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-09-07 16:14 152160 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Valve\Steam\steam.exe" [2010-10-22 1242448]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-25 98304]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-02 87336]
"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-08-26 75048]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD10\\PowerDVD Cinema\\PowerDVDCinema10.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\WINDOWS\\KMSEmulator.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\duso4\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\duso4\\counter-strike\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [15.11.2010 16:24 190416]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1.11.2010 19:07 691696]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [15.11.2010 16:24 99792]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [15.11.2010 17:21 340048]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [15.11.2010 17:21 165584]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [28.3.2007 11:25 13696]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/10/31 13:06];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [26.8.2010 12:18 87536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15.11.2010 17:21 17744]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [22.10.2010 21:59 304464]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [21.7.2010 12:30 101904]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [22.10.2010 21:59 20952]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9.1.2010 21:37 4640000]
S2 avast! Firewall;avast! Firewall;"c:\program files\Alwil Software\Avast5\afwServ.exe" --> c:\program files\Alwil Software\Avast5\afwServ.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS.exe [2010-11-08 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Od&oslať do programu OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\PC\Application Data\Mozilla\Firefox\Profiles\rbcm5208.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://sk.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:sk:official
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-15 19:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250620AS rev.3.AAJ -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2f
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spdk.sys >>UNKNOWN [0x8AE60938]<<
c:\docume~1\PC\LOCALS~1\Temp\catchme.sys
spdk.sys
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffff568ed8b; }
1 ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\Harddisk0\DR0[0x8AE22AB8]
3 CLASSPNP[0xF74C7FD7] -> ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\0000006a[0x8ADD0328]
5 ACPI[0xF7253620] -> ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\Ide\IdeDeviceP0T0L0-19[0x8AD6BD98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2010-11-15 19:17:22
ComboFix-quarantined-files.txt 2010-11-15 18:17
Pre-Run: 73 637 146 624 bytes free
Post-Run: 73 876 865 024 bytes free
- - End Of File - - 66007522B9799459A386C48467736514
Mam tam bordel?
Dakujem.....
ComboFix 10-11-14.04 - PC 15.11.2010 19:11:23.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.3071.2550 [GMT 1:00]
Running from: c:\documents and settings\PC\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\driver
c:\windows\system32\system
c:\windows\system32\system\msvcr80.dll
c:\windows\system32\system\msvcr80d.dll
.
((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
.
2010-11-15 17:09 . 2010-11-15 17:09 77824 ------w- c:\windows\KMSEmulator.exe
2010-11-15 16:21 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-15 16:21 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-15 16:21 . 2010-09-07 15:53 340048 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-11-15 16:21 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-15 16:21 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-15 16:20 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-15 16:20 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-15 16:20 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-15 16:20 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-15 16:20 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-15 16:20 . 2010-11-15 16:20 -------- d-----w- c:\program files\Alwil Software
2010-11-15 15:24 . 2010-09-07 15:54 99792 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-11-15 15:24 . 2010-09-07 15:53 190416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-11-15 15:24 . 2010-11-15 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-11-14 10:03 . 2010-11-14 10:03 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\GHISLER
2010-11-14 09:14 . 2010-11-14 09:16 -------- d-----w- c:\documents and settings\PC\Application Data\GHISLER
2010-11-14 09:14 . 2010-11-14 09:15 -------- d-----w- C:\totalcmd
2010-11-09 22:09 . 2010-11-09 22:09 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Real
2010-11-09 22:09 . 2009-04-02 14:21 84480 ----a-w- c:\windows\system32\ff_vfw.dll
2010-11-09 22:09 . 2008-06-08 22:58 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-11-09 22:09 . 2010-11-09 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-11-09 22:09 . 2009-01-05 15:18 90112 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-09 22:09 . 2009-01-05 15:18 57344 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-09 22:08 . 2010-11-09 22:08 -------- d-----w- c:\program files\Common Files\Magic Video Converter
2010-11-09 22:08 . 2005-10-28 08:44 308224 ----a-w- c:\windows\system32\avisynth.dll
2010-11-09 22:08 . 2004-02-22 00:11 719872 ----a-w- c:\windows\system32\devil.dll
2010-11-09 22:08 . 2010-11-09 22:32 -------- d-----w- c:\program files\Magic Video Converter
2010-11-08 21:13 . 2010-11-08 21:13 614400 ----a-w- c:\windows\AutoKMS.exe
2010-11-08 20:11 . 2010-11-08 20:11 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Microsoft Help
2010-11-08 20:11 . 2010-11-08 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-11-08 19:58 . 2010-11-08 19:58 -------- d-----w- c:\program files\Microsoft.NET
2010-11-08 19:58 . 2010-11-08 19:58 -------- d-----w- c:\documents and settings\All Users\Microsoft
2010-11-08 19:56 . 2010-11-08 19:56 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-11-08 19:56 . 2010-11-08 19:56 -------- d-----w- c:\windows\SHELLNEW
2010-11-08 19:55 . 2010-11-08 19:55 -------- d-----r- C:\MSOCache
2010-11-08 19:49 . 2008-04-14 04:41 33792 -c----w- c:\windows\system32\dllcache\custsat.dll
2010-11-08 19:48 . 2008-04-13 23:10 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2010-11-08 19:48 . 2006-12-28 23:31 19569 ----a-w- c:\windows\005390_.tmp
2010-11-03 15:22 . 2010-11-03 15:22 -------- d-----w- c:\program files\Zoner
2010-11-01 21:56 . 2010-11-01 22:31 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\ACD Systems
2010-11-01 21:56 . 2010-11-01 21:56 -------- d-----w- c:\documents and settings\PC\Application Data\ACD Systems
2010-11-01 21:54 . 2010-11-01 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2010-11-01 21:54 . 2010-11-01 21:54 -------- d-----w- c:\program files\Common Files\ACD Systems
2010-11-01 21:54 . 2010-11-01 21:54 -------- d-----w- c:\program files\ACD Systems
2010-11-01 21:53 . 2010-11-01 21:53 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Downloaded Installations
2010-11-01 18:59 . 2010-11-01 19:00 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-11-01 18:59 . 2010-11-12 18:40 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-11-01 18:59 . 2010-11-12 18:40 183112 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-01 18:49 . 2010-11-01 18:49 -------- d--h--r- c:\documents and settings\PC\Application Data\SecuROM
2010-11-01 18:49 . 2010-11-01 18:49 -------- d-----w- c:\documents and settings\PC\Application Data\Leadertech
2010-11-01 18:07 . 2010-11-01 18:13 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-11-01 18:07 . 2010-11-01 18:07 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-01 18:07 . 2010-11-01 18:08 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-11-01 18:04 . 2010-11-01 18:41 -------- d-----w- c:\documents and settings\PC\Application Data\DAEMON Tools Lite
2010-11-01 18:03 . 2010-11-01 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-10-31 20:31 . 2010-10-31 20:31 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Identities
2010-10-31 12:07 . 2010-10-31 12:07 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Cyberlink
2010-10-31 12:07 . 2010-10-31 12:07 -------- d-----w- c:\documents and settings\PC\Application Data\CyberLink
2010-10-31 12:06 . 2010-10-31 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-10-31 12:06 . 2010-10-31 12:05 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-10-31 12:06 . 2010-10-31 12:06 -------- d-----w- c:\program files\Common Files\CyberLink
2010-10-31 12:05 . 2010-10-31 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-10-28 14:22 . 2010-11-03 15:23 -------- d-----w- c:\documents and settings\PC\Application Data\Zoner
2010-10-28 14:22 . 2010-10-28 14:22 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Zoner
2010-10-26 21:28 . 2010-11-13 21:25 -------- d-----w- c:\program files\ICQ6.5
2010-10-25 14:37 . 2010-10-25 16:58 -------- d-----w- c:\documents and settings\PC\Application Data\BSplayer PRO
2010-10-25 14:37 . 2010-10-25 14:37 -------- d-----w- c:\program files\Webteh
2010-10-24 21:36 . 2009-09-04 15:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-10-24 21:36 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-10-24 21:36 . 2010-10-24 21:36 -------- d-----w- c:\windows\Logs
2010-10-24 21:36 . 2010-10-24 21:36 -------- d-----w- c:\program files\Winamp Detect
2010-10-24 21:10 . 2008-04-14 04:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-24 09:29 . 2010-10-24 09:29 -------- d-----w- c:\program files\Common Files\Java
2010-10-23 18:33 . 2010-09-15 02:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-23 18:33 . 2010-09-15 00:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-23 18:32 . 2010-10-24 09:29 -------- d-----w- c:\program files\Java
2010-10-23 18:32 . 2010-11-11 16:26 -------- d-----w- c:\program files\JDownloader
2010-10-22 21:00 . 2010-10-22 21:00 -------- d-----w- c:\documents and settings\PC\Application Data\Malwarebytes
2010-10-22 20:59 . 2010-04-29 10:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-22 20:59 . 2010-10-22 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-22 20:59 . 2010-10-22 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-22 20:59 . 2010-04-29 10:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-22 20:56 . 2010-10-22 20:56 -------- d-----w- c:\documents and settings\PC\Application Data\Talkback
2010-10-22 20:45 . 2010-10-22 20:45 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Mozilla
2010-10-22 20:42 . 2010-11-15 14:11 -------- d-----w- c:\documents and settings\PC\Application Data\skypePM
2010-10-22 20:36 . 2010-11-15 18:09 -------- d-----w- c:\documents and settings\PC\Application Data\Skype
2010-10-22 20:36 . 2010-10-22 20:36 -------- d-----w- c:\program files\Skype
2010-10-22 20:36 . 2010-10-22 20:36 -------- d-----w- c:\program files\Common Files\Skype
2010-10-22 20:36 . 2010-10-22 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-10-22 20:35 . 2010-10-27 10:00 -------- d-----w- c:\program files\ICQ6Toolbar
2010-10-22 20:35 . 2010-10-26 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ICQ
2010-10-22 20:35 . 2010-11-15 17:08 -------- d-----w- c:\documents and settings\PC\Application Data\ICQ
2010-10-22 20:15 . 2010-10-22 20:15 15872 ----a-r- c:\documents and settings\PC\Application Data\Microsoft\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C9.exe
2010-10-22 20:15 . 2010-10-22 20:15 -------- d-----w- c:\program files\Valve
2010-10-22 16:14 . 2008-04-14 04:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-10-22 16:14 . 2008-04-13 23:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-22 16:13 . 2008-04-13 23:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-10-22 10:42 . 2010-10-22 10:42 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\ATI
2010-10-22 10:42 . 2010-10-22 10:42 -------- d-----w- c:\documents and settings\PC\Application Data\ATI
2010-10-22 10:42 . 2010-10-22 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-10-22 10:19 . 2010-10-22 10:19 -------- d-----w- C:\ATI
2010-10-22 09:54 . 2010-10-22 09:54 -------- d-s---w- c:\documents and settings\PC\UserData
2010-10-22 09:50 . 2010-10-22 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2010-10-22 09:49 . 2010-11-01 18:46 -------- d-----w- c:\windows\system32\LogFiles
2010-10-21 20:48 . 2010-10-22 18:12 -------- d-----w- C:\Boot
2010-10-21 10:32 . 2001-08-17 11:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-10-21 10:32 . 2001-08-17 11:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-10-21 10:32 . 2008-04-13 23:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-31 12:05 . 2007-03-28 12:13 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-31 12:05 . 2007-03-28 12:13 353576 ----a-w- c:\windows\system32\msvcr71.dll
2010-08-26 03:33 . 2007-03-28 11:55 5386752 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-08-26 01:56 . 2007-03-28 11:55 300544 ----a-w- c:\windows\system32\ati2dvag.dll
2010-08-26 01:52 . 2007-03-28 11:55 3927936 ----a-w- c:\windows\system32\ati3duag.dll
2010-08-26 01:37 . 2007-03-28 11:55 2603520 ----a-w- c:\windows\system32\ativvaxx.dll
2010-08-26 01:23 . 2007-03-28 11:55 688128 ----a-w- c:\windows\system32\ati2cqag.dll
2004-03-11 11:27 . 2007-03-28 12:19 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2008-12-18 00:48 . 2010-10-23 17:49 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-18 00:48 . 2010-10-23 17:49 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-18 00:48 . 2010-10-23 17:49 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-18 00:48 . 2010-10-23 17:49 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-18 00:48 . 2010-10-23 17:49 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-09-07 16:14 152160 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Valve\Steam\steam.exe" [2010-10-22 1242448]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-25 98304]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-02 87336]
"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-08-26 75048]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD10\\PowerDVD Cinema\\PowerDVDCinema10.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\WINDOWS\\KMSEmulator.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\duso4\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\duso4\\counter-strike\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [15.11.2010 16:24 190416]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1.11.2010 19:07 691696]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [15.11.2010 16:24 99792]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [15.11.2010 17:21 340048]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [15.11.2010 17:21 165584]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [28.3.2007 11:25 13696]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/10/31 13:06];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [26.8.2010 12:18 87536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15.11.2010 17:21 17744]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [22.10.2010 21:59 304464]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [21.7.2010 12:30 101904]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [22.10.2010 21:59 20952]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9.1.2010 21:37 4640000]
S2 avast! Firewall;avast! Firewall;"c:\program files\Alwil Software\Avast5\afwServ.exe" --> c:\program files\Alwil Software\Avast5\afwServ.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS.exe [2010-11-08 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Od&oslať do programu OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\PC\Application Data\Mozilla\Firefox\Profiles\rbcm5208.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://sk.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:sk:official
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-15 19:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250620AS rev.3.AAJ -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2f
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spdk.sys >>UNKNOWN [0x8AE60938]<<
c:\docume~1\PC\LOCALS~1\Temp\catchme.sys
spdk.sys
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffff568ed8b; }
1 ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\Harddisk0\DR0[0x8AE22AB8]
3 CLASSPNP[0xF74C7FD7] -> ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\0000006a[0x8ADD0328]
5 ACPI[0xF7253620] -> ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\Ide\IdeDeviceP0T0L0-19[0x8AD6BD98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2010-11-15 19:17:22
ComboFix-quarantined-files.txt 2010-11-15 18:17
Pre-Run: 73 637 146 624 bytes free
Post-Run: 73 876 865 024 bytes free
- - End Of File - - 66007522B9799459A386C48467736514