Problém s odstraněním "Olmarik trojský kůň"
Napsal: 11 úno 2011 11:22
Zdravím,
ESET NODE32 antivirus detekoval v Operační paměti Win32/Olmarik trojský kůň který "nelze léčit" .
Tady je obsah reportu ComboFixu:
ComboFix 11-02-09.05 - randula 10.02.2011 14:36:44.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1250.420.1029.18.2015.1187 [GMT 1:00]
Spuštěný z: c:\users\randula\Downloads\unvir\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Vytvořen nový Bod Obnovení
* Rezidentní štít AV je zapnutý
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Předchozí spuštění -------
.
c:\windows\jestertb.dll
c:\windows\system32\UNWISE.EXE
D:\Autorun.inf
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-01-10 do 2011-02-10 )))))))))))))))))))))))))))))))
.
2011-02-10 13:49 . 2011-02-10 13:50 -------- d-----w- c:\users\randula\AppData\Local\temp
2011-02-10 13:49 . 2011-02-10 13:49 -------- d-----w- c:\users\Test\AppData\Local\temp
2011-02-10 13:49 . 2011-02-10 13:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-10 10:24 . 2011-02-10 10:24 273920 ----a-w- c:\windows\system32\drivers\cbksqquy.sys
2011-02-10 10:22 . 2011-02-10 10:26 -------- d-----w- c:\windows\system32\MpEngineStore
2011-02-09 21:46 . 2011-02-09 21:46 -------- d-----w- c:\users\randula\AppData\Local\ESET
2011-02-09 16:55 . 2011-02-09 16:55 -------- d-----w- c:\program files\ESET
2011-02-09 16:45 . 2011-02-09 16:45 273920 ----a-w- c:\windows\system32\drivers\cfoycasb.sys
2011-02-09 16:38 . 2011-02-09 16:38 273920 ----a-w- c:\windows\system32\drivers\mrrncgqf.sys
2011-02-09 16:12 . 2011-02-09 16:12 273920 ----a-w- c:\windows\system32\drivers\cfhksyco.sys
2011-02-09 15:48 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-01-30 13:57 . 2011-01-30 13:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 13:57 . 2011-01-30 13:57 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-01-28 10:20 . 2011-01-28 10:20 -------- d-----w- c:\users\randula\AppData\Roaming\Softtech
2011-01-28 10:16 . 2011-01-28 10:16 -------- d-----w- c:\programdata\Softtech
2011-01-26 13:49 . 2011-01-26 15:13 -------- d-----w- c:\users\randula\AppData\Roaming\TeamViewer
2011-01-20 12:48 . 2011-02-09 16:48 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 9
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 15:52 . 2010-12-21 15:52 1201279 ----a-w- c:\windows\unins003.exe
2010-12-21 14:04 . 2010-12-21 14:04 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-12-21 14:04 . 2010-12-21 14:04 115008 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-12-21 12:47 . 2010-12-21 12:47 95384 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Google Update"="c:\users\randula\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-14 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-04-10 404248]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-01-16 330264]
"bgsmsnd.exe"="c:\windows\system32\bgsmsnd.exe" [2007-11-19 160136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-02-18 13830760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-09 44168]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-11-13 192512]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 06:19 49152 ----a-w- c:\windows\System32\DeviceNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R2 gupdate1c9c974a3a17236;Google Update Service (gupdate1c9c974a3a17236);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-30 133104]
R3 adusbser;AnyDATA USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\adusbser.sys [2006-12-20 97920]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-04-30 172131]
R3 FNU;FNU;c:\users\randula\AppData\Local\Temp\FNU.exe [x]
R3 Huawei;HUAWEI Mobile Connect - USB Smart Card Reader;c:\windows\system32\DRIVERS\ewdcsc.sys [2009-12-15 23424]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-12-15 101120]
R3 QVKRD;QVKRD;c:\users\randula\AppData\Local\Temp\QVKRD.exe [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-12-21 115008]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2007-01-23 39080]
S2 602XML Updater;602Updater;c:\program files\Common Files\soft602\602updsvc\602updsvc.exe [2010-04-14 73728]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 atchksrv;Intel(R) Active Management Technology System Status Service;c:\program files\Intel\AMT\atchksrv.exe [2007-04-10 183064]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-12-21 137144]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2011-01-12 810144]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-12-21 95384]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-04-27 221184]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-08-07 24880]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-01-16 542744]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-12-20 47616]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LPDService REG_MULTI_SZ LPDSVC
Akamai REG_MULTI_SZ Akamai
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 11:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'
2011-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-30 09:18]
2011-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-30 09:18]
2011-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-972185092-1158475264-1021527904-1003Core.job
- c:\users\randula\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-05 07:02]
2011-02-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-972185092-1158475264-1021527904-1003UA.job
- c:\users\randula\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-05 07:02]
2011-02-10 c:\windows\Tasks\User_Feed_Synchronization-{D5D93112-F6F4-4B41-82DF-0823431BBFAF}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.softconsult.tv/
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
Trusted Zone: microsoft.com
Trusted Zone: softconsult.tv\www
TCP: {5F80D403-E85B-4897-B8D7-4D1DD9827591} = 217.11.224.1,217.11.224.2
DPF: {5FB60DF1-234D-4067-8A61-536E540DA81E} - hxxp://www.webplaner-innoplus.de/royalstone/royalstone.cab
DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} - hxxps://www.mojedatovaschranka.cz/static/pages/ ... ?3,16,13,0
DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} - hxxp://www.o2c.de/download/o2cplayer.cab
FF - ProfilePath - c:\users\randula\AppData\Roaming\Mozilla\Firefox\Profiles\i6fmgzo5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.softconsult.tv/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=cs&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox 4.0 Beta 9\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: O2CPlayer Plugin: o2cplayer@eleco.com - %profile%\extensions\o2cplayer@eleco.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: QipAuthorizer: {32a1fd71-835e-4b11-8e54-886fda0b4c89} - %profile%\extensions\{32a1fd71-835e-4b11-8e54-886fda0b4c89}
FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- Asociace souborů -------
.
.scr=DWGTrueViewScriptFile
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKLM-Run-hpWirelessAssistant - %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
HKLM-Run-WAWifiMessage - %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
AddRemove-Hardlock Device Drivers - c:\windows\system32\UNWISE.EXE
AddRemove-QipGuard - c:\users\randula\AppData\Roaming\QipGuard\QipGuard.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-10 14:49
Windows 6.0.6002 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
c:\windows\TEMP\TMP000000463333FE4E1FCF9B5C 524288 bytes executable
sken byl úspešně dokončen
skryté soubory: 1
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: FUJITSU_ rev.891F -> Harddisk0\DR0 -> \Device\Ide\iaStor0
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll acpi.sys >>UNKNOWN [0x8FA03EC5]<<
c:\windows\system32\DRIVERS\hpdskflt.sys Hewlett-Packard Corporation Hewlett-Packard Corporation Mobile Data Protection System
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8693c872; SUB DWORD [EBP-0x4], 0x8693c12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x81C8B962] -> \Device\Harddisk0\DR0[0x860A4AC8]
3 CLASSPNP[0x87DC28B3] -> ntkrnlpa!IofCallDriver[0x81C8B962] -> [0x85FA1380]
5 hpdskflt[0x87DA506E] -> ntkrnlpa!IofCallDriver[0x81C8B962] -> [0x84E716D0]
7 acpi[0x806996BC] -> ntkrnlpa!IofCallDriver[0x81C8B962] -> [0x84E74030]
[0x8E6EA920] -> IRP_MJ_CREATE -> 0x8FA03EC5
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHW2160BH_PL____________________891F____#4&1c6bb5cf&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x8FA03AEA
user & kernel MBR OK
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Celkový čas: 2011-02-10 14:53:54
ComboFix-quarantined-files.txt 2011-02-10 13:53
Před spuštěním: Volných bajtů: 79 768 096 768
Po spuštění: Volných bajtů: 79 744 999 424
- - End Of File - - B766ACE26CC8A7AF722888BBC3A166F4
ESET NODE32 antivirus detekoval v Operační paměti Win32/Olmarik trojský kůň který "nelze léčit" .
Tady je obsah reportu ComboFixu:
ComboFix 11-02-09.05 - randula 10.02.2011 14:36:44.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1250.420.1029.18.2015.1187 [GMT 1:00]
Spuštěný z: c:\users\randula\Downloads\unvir\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Vytvořen nový Bod Obnovení
* Rezidentní štít AV je zapnutý
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Předchozí spuštění -------
.
c:\windows\jestertb.dll
c:\windows\system32\UNWISE.EXE
D:\Autorun.inf
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-01-10 do 2011-02-10 )))))))))))))))))))))))))))))))
.
2011-02-10 13:49 . 2011-02-10 13:50 -------- d-----w- c:\users\randula\AppData\Local\temp
2011-02-10 13:49 . 2011-02-10 13:49 -------- d-----w- c:\users\Test\AppData\Local\temp
2011-02-10 13:49 . 2011-02-10 13:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-10 10:24 . 2011-02-10 10:24 273920 ----a-w- c:\windows\system32\drivers\cbksqquy.sys
2011-02-10 10:22 . 2011-02-10 10:26 -------- d-----w- c:\windows\system32\MpEngineStore
2011-02-09 21:46 . 2011-02-09 21:46 -------- d-----w- c:\users\randula\AppData\Local\ESET
2011-02-09 16:55 . 2011-02-09 16:55 -------- d-----w- c:\program files\ESET
2011-02-09 16:45 . 2011-02-09 16:45 273920 ----a-w- c:\windows\system32\drivers\cfoycasb.sys
2011-02-09 16:38 . 2011-02-09 16:38 273920 ----a-w- c:\windows\system32\drivers\mrrncgqf.sys
2011-02-09 16:12 . 2011-02-09 16:12 273920 ----a-w- c:\windows\system32\drivers\cfhksyco.sys
2011-02-09 15:48 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-01-30 13:57 . 2011-01-30 13:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 13:57 . 2011-01-30 13:57 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-01-28 10:20 . 2011-01-28 10:20 -------- d-----w- c:\users\randula\AppData\Roaming\Softtech
2011-01-28 10:16 . 2011-01-28 10:16 -------- d-----w- c:\programdata\Softtech
2011-01-26 13:49 . 2011-01-26 15:13 -------- d-----w- c:\users\randula\AppData\Roaming\TeamViewer
2011-01-20 12:48 . 2011-02-09 16:48 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 9
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 15:52 . 2010-12-21 15:52 1201279 ----a-w- c:\windows\unins003.exe
2010-12-21 14:04 . 2010-12-21 14:04 137144 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-12-21 14:04 . 2010-12-21 14:04 115008 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-12-21 12:47 . 2010-12-21 12:47 95384 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Google Update"="c:\users\randula\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-14 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-04-10 404248]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-01-16 330264]
"bgsmsnd.exe"="c:\windows\system32\bgsmsnd.exe" [2007-11-19 160136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-02-18 13830760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-09 44168]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-11-13 192512]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 06:19 49152 ----a-w- c:\windows\System32\DeviceNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R2 gupdate1c9c974a3a17236;Google Update Service (gupdate1c9c974a3a17236);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-30 133104]
R3 adusbser;AnyDATA USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\adusbser.sys [2006-12-20 97920]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-04-30 172131]
R3 FNU;FNU;c:\users\randula\AppData\Local\Temp\FNU.exe [x]
R3 Huawei;HUAWEI Mobile Connect - USB Smart Card Reader;c:\windows\system32\DRIVERS\ewdcsc.sys [2009-12-15 23424]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-12-15 101120]
R3 QVKRD;QVKRD;c:\users\randula\AppData\Local\Temp\QVKRD.exe [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-12-21 115008]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2007-01-23 39080]
S2 602XML Updater;602Updater;c:\program files\Common Files\soft602\602updsvc\602updsvc.exe [2010-04-14 73728]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 atchksrv;Intel(R) Active Management Technology System Status Service;c:\program files\Intel\AMT\atchksrv.exe [2007-04-10 183064]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-12-21 137144]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2011-01-12 810144]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-12-21 95384]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-04-27 221184]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-08-07 24880]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-01-16 542744]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-12-20 47616]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LPDService REG_MULTI_SZ LPDSVC
Akamai REG_MULTI_SZ Akamai
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 11:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'
2011-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-30 09:18]
2011-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-30 09:18]
2011-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-972185092-1158475264-1021527904-1003Core.job
- c:\users\randula\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-05 07:02]
2011-02-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-972185092-1158475264-1021527904-1003UA.job
- c:\users\randula\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-05 07:02]
2011-02-10 c:\windows\Tasks\User_Feed_Synchronization-{D5D93112-F6F4-4B41-82DF-0823431BBFAF}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.softconsult.tv/
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
Trusted Zone: microsoft.com
Trusted Zone: softconsult.tv\www
TCP: {5F80D403-E85B-4897-B8D7-4D1DD9827591} = 217.11.224.1,217.11.224.2
DPF: {5FB60DF1-234D-4067-8A61-536E540DA81E} - hxxp://www.webplaner-innoplus.de/royalstone/royalstone.cab
DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} - hxxps://www.mojedatovaschranka.cz/static/pages/ ... ?3,16,13,0
DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} - hxxp://www.o2c.de/download/o2cplayer.cab
FF - ProfilePath - c:\users\randula\AppData\Roaming\Mozilla\Firefox\Profiles\i6fmgzo5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.softconsult.tv/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=cs&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox 4.0 Beta 9\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: O2CPlayer Plugin: o2cplayer@eleco.com - %profile%\extensions\o2cplayer@eleco.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: QipAuthorizer: {32a1fd71-835e-4b11-8e54-886fda0b4c89} - %profile%\extensions\{32a1fd71-835e-4b11-8e54-886fda0b4c89}
FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- Asociace souborů -------
.
.scr=DWGTrueViewScriptFile
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKLM-Run-hpWirelessAssistant - %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
HKLM-Run-WAWifiMessage - %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
AddRemove-Hardlock Device Drivers - c:\windows\system32\UNWISE.EXE
AddRemove-QipGuard - c:\users\randula\AppData\Roaming\QipGuard\QipGuard.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-10 14:49
Windows 6.0.6002 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
c:\windows\TEMP\TMP000000463333FE4E1FCF9B5C 524288 bytes executable
sken byl úspešně dokončen
skryté soubory: 1
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: FUJITSU_ rev.891F -> Harddisk0\DR0 -> \Device\Ide\iaStor0
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll acpi.sys >>UNKNOWN [0x8FA03EC5]<<
c:\windows\system32\DRIVERS\hpdskflt.sys Hewlett-Packard Corporation Hewlett-Packard Corporation Mobile Data Protection System
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8693c872; SUB DWORD [EBP-0x4], 0x8693c12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x81C8B962] -> \Device\Harddisk0\DR0[0x860A4AC8]
3 CLASSPNP[0x87DC28B3] -> ntkrnlpa!IofCallDriver[0x81C8B962] -> [0x85FA1380]
5 hpdskflt[0x87DA506E] -> ntkrnlpa!IofCallDriver[0x81C8B962] -> [0x84E716D0]
7 acpi[0x806996BC] -> ntkrnlpa!IofCallDriver[0x81C8B962] -> [0x84E74030]
[0x8E6EA920] -> IRP_MJ_CREATE -> 0x8FA03EC5
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHW2160BH_PL____________________891F____#4&1c6bb5cf&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x8FA03AEA
user & kernel MBR OK
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Celkový čas: 2011-02-10 14:53:54
ComboFix-quarantined-files.txt 2011-02-10 13:53
Před spuštěním: Volných bajtů: 79 768 096 768
Po spuštění: Volných bajtů: 79 744 999 424
- - End Of File - - B766ACE26CC8A7AF722888BBC3A166F4
Stáhněte TDSSKiller 