Stránka 1 z 1
MDM.exe neni vo system32
Napsal: 09 úno 2012 16:27
od GAMELASTER
Ahojte, mam taky problem, mam Win 7 64bit Ultimate a zapina sa mi nejaky mdm.exe pri spusteny pc.... je skryty a je v C:\windows... Pocul som ze je to virus.... Staci, ze som to vymazal???? Alebo ako mam stim pokracovat?
V Autoruns som ho nasiel v Everything a ma tento nazov: Microsoft Firevall Engine. Ano Firevall. Hned to my bolo cudne, tak som ho nasiel a zmazal. Dakujem vopred..
Re: MDM.exe neni vo system32
Napsal: 09 úno 2012 18:10
od Rudy
Zdravím!
Poprosím o log ComboFix.
Stahnete a ulozte nejlepe na plochu ComboFix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
pote spustte aplikaci pod uctem s administratorskym opravnenim
hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.
v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se
jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine
aplikace ani nic jineho
behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)
upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode,
pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k
nezadoucim kolizim s rezidentem antispyware
Re: MDM.exe neni vo system32
Napsal: 09 úno 2012 20:04
od GAMELASTER
ComboFix 12-02-09.04 - Gamelaster . 02. 2012 19:32:57.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.421.1051.18.1789.879 [GMT 1:00]
Running from: c:\users\Gamelaster\Downloads\ComboFix.exe
AV: ESET Smart Security 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Your Product\lua5.1.dll
c:\users\GAMELA~1\AppData\Local\Temp\TeamViewer\Version7\tv_x64.dll
c:\users\Gamelaster\AppData\Local\Temp\TeamViewer\Version7\tv_x64.dll
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
.
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-09 18:52 . 2012-02-09 18:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-09 12:54 . 2012-02-09 12:54 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{67D8C685-8C60-4278-9A21-A3103FF00C89}\offreg.dll
2012-02-08 18:53 . 2012-02-09 18:50 -------- d-----w- c:\program files (x86)\Your Product
2012-02-08 15:29 . 2012-02-08 15:34 -------- d-----w- c:\programdata\Blizzard Entertainment
2012-02-07 14:44 . 2012-02-07 14:44 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\TortoiseSVN
2012-02-07 13:06 . 2012-02-09 12:51 -------- d-----w- c:\users\Gamelaster\AppData\Local\TSVNCache
2012-02-07 13:06 . 2012-02-07 13:06 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\Subversion
2012-02-06 18:54 . 2012-02-06 18:54 -------- d-----w- c:\program files (x86)\Common Files\TortoiseOverlays
2012-02-06 18:54 . 2012-02-06 18:54 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2012-02-04 16:37 . 2012-02-04 16:41 -------- d-----w- c:\users\Gamelaster\debilina
2012-02-02 16:40 . 2012-02-02 16:40 -------- d-----w- c:\program files (x86)\Common Files\Thraex Software
2012-02-01 16:56 . 2012-02-01 16:56 -------- d-----w- c:\program files (x86)\QipGuard
2012-02-01 16:56 . 2012-02-01 16:56 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\QipGuard
2012-02-01 16:56 . 2012-01-12 11:35 142288 ----a-w- c:\users\Gamelaster\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll
2012-02-01 16:55 . 2012-02-01 16:56 -------- d-----w- c:\program files (x86)\QIP 2012
2012-02-01 16:46 . 2012-02-06 16:02 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\QIP
2012-01-31 05:43 . 2012-01-31 05:43 -------- d-----w- C:\vcs5BGEffects
2012-01-31 05:40 . 2012-01-31 05:54 -------- d-----w- c:\program files (x86)\AV Vcs 6.0 DIAMOND
2012-01-29 18:52 . 2012-02-05 14:32 -------- d-----w- c:\program files (x86)\MTA San Andreas 1.3
2012-01-28 11:18 . 2012-01-28 11:18 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\Screaming Bee
2012-01-28 11:15 . 2012-01-28 11:15 -------- d-----w- c:\program files (x86)\Screaming Bee
2012-01-27 16:10 . 2012-01-27 16:10 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\HideIPPrivacy
2012-01-27 16:10 . 2012-01-27 16:10 -------- d-----w- c:\programdata\HideIPPrivacy
2012-01-24 18:43 . 2012-01-24 18:43 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\SmartHideIP
2012-01-24 18:43 . 2012-01-24 18:43 -------- d-----w- c:\programdata\SmartHideIP
2012-01-24 14:07 . 2012-01-24 14:08 -------- d-----w- C:\Python27
2012-01-18 20:13 . 2012-01-18 20:13 -------- d-----w- c:\programdata\Blumentals
2012-01-18 20:12 . 2012-01-18 20:12 -------- d-----w- c:\program files (x86)\Rapid PHP 2011
2012-01-18 20:12 . 2012-01-18 20:12 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\Blumentals
2012-01-15 18:34 . 2012-01-15 18:34 -------- d-----w- c:\program files\7-Zip
2012-01-13 21:17 . 2012-01-13 21:18 -------- d-----w- c:\users\Gamelaster\AppData\Local\Facebook
2012-01-13 15:56 . 2012-01-13 15:58 -------- d-----w- c:\program files\trend micro
2012-01-13 15:56 . 2012-01-13 15:58 -------- d-----w- C:\rsit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-24 13:28 . 2011-10-28 20:04 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-09 19:36 . 2011-10-30 08:44 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-07 16:04 . 2012-01-07 15:13 2478272 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-11-14 18:32 . 2011-11-14 18:32 627600 ----a-w- c:\windows\system32\deployJava1.dll
2003-03-21 12:45 . 2011-12-20 16:42 250544 ----a-w- c:\program files (x86)\Common Files\keyhelp.ocx
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2011-10-28 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2011-10-28 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 19550344]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"Clownfish"="c:\program files (x86)\Clownfish\Clownfish.exe" [2011-12-23 997888]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
"Facebook Update"="c:\users\Gamelaster\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-01-13 137536]
"QIP Internet Guardian"="c:\users\Gamelaster\AppData\Roaming\QipGuard\QipGuard.exe" [2012-01-12 191440]
"Infium"="c:\program files (x86)\QIP 2012\qip.exe" [2012-01-12 7320528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 343168]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-15 1955208]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 VSPerfDrv100;Performance Tools Driver 10.0;d:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-03-17 68440]
R3 WatAdminSvc;Služba Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2011-09-22 974944]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-09-08 361984]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-08-15 2329480]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 QipGuard;QipGuard;c:\program files (x86)\QipGuard\QipGuard.exe [2012-01-12 191440]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 10:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2901543845-1208738069-1701217237-1000Core.job
- c:\users\Gamelaster\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-13 21:17]
.
2012-02-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2901543845-1208738069-1701217237-1000UA.job
- c:\users\Gamelaster\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-13 21:17]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901543845-1208738069-1701217237-1000Core.job
- c:\users\Gamelaster\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-30 08:23]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901543845-1208738069-1701217237-1000UA.job
- c:\users\Gamelaster\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-30 08:23]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 4035152]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SoundMAX"="c:\program files (x86)\Analog Devices\SoundMAX\soundmax.exe" [2009-05-18 3866624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://search.qip.ru/ie
IE: E&xportovať do programu Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Microsoft Firevall Engine - c:\windows\mdm.exe
Wow6432Node-HKLM-Run-Microsoft Firevall Engine - c:\windows\mdm.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-02-09 20:02:09
ComboFix-quarantined-files.txt 2012-02-09 19:02
.
Pre-Run: 8 411 553 792 bytes free
Post-Run: 8 536 887 296 bytes free
.
- - End Of File - - ECE39D2D2D533B6FE718B2489740D302
Re: MDM.exe neni vo system32
Napsal: 09 úno 2012 20:31
od GAMELASTER
A jeste, eset mi psal ze se neda spojit z jadrem a po restartu ted vubec ni nic nevipise. Resp. Ja GUI vobec nevidim.. Vidim iba napis eset a nic vice.. Pise problem s komunikacii s jadrem..
Re: MDM.exe neni vo system32
Napsal: 09 úno 2012 20:52
od Rudy
Přesuňte ComboFix na plochu. Otevřte poznámkový blok a zkopírujte do něj:
Folder::
c:\users\Gamelaster\AppData\Local\Facebook\Update
Collect::
c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2901543845-1208738069-1701217237-1000Core.job
c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2901543845-1208738069-1701217237-1000UA.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901543845-1208738069-1701217237-1000UA.job
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"=-
Reglock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.
Re: MDM.exe neni vo system32
Napsal: 09 úno 2012 21:25
od GAMELASTER
Ok, idem to urobit. A neni to nahodou siraci sa vir? A odvtedy ako my blbne PC, tak ho mam zapnuty. SSH2 a SFTP je on. JE to linux Debian 6.0.. Aj ten teraz nejako blbne. Apache2 vobec nejde, to iste SFTP a SSH2.... A inac, je to kvoli facebooku ci co???? A este, moj web(gamelaster.eu) zobrazuje uplne cele modre... A daktore weby vobec nejdu... Nejde ostranovat daktore registre.... A eset je uplne vyradeni...
Re: MDM.exe neni vo system32
Napsal: 09 úno 2012 22:07
od GAMELASTER
ComboFix 12-02-09.04 - Gamelaster . 02. 2012 21:30:03.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.421.1051.18.1789.513 [GMT 1:00]
Running from: c:\users\Gamelaster\Desktop\ComboFix.exe
Command switches used :: c:\users\Gamelaster\Desktop\CFScript.txt
AV: ESET Smart Security 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\QIP 2012\Core\MousePhone.dll
c:\program files (x86)\Your Product\Uninstall
c:\program files (x86)\Your Product\Uninstall\IRIMG1.JPG
c:\program files (x86)\Your Product\Uninstall\IRIMG2.JPG
c:\program files (x86)\Your Product\Uninstall\uninstall.dat
c:\program files (x86)\Your Product\Uninstall\uninstall.xml
c:\users\Gamelaster\AppData\Local\Facebook\Update
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\FacebookCrashHandler.exe
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\FacebookUpdate.exe
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\FacebookUpdateHelper.msi
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdate.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_ar.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_bg.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_bn.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_ca.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_cs.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_da.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_de.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_el.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_en-GB.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_en.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_es-419.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_es.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_et.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_fa.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_fi.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_fil.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_fr.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_gu.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_hi.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_hr.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_hu.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_id.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_is.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_it.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_iw.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_ja.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_kn.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_ko.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_lt.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_lv.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_ml.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_mr.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_ms.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_nl.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_no.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_or.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_pl.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_pt-BR.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_pt-PT.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_ro.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_ru.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_sk.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_sl.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_sr.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_sv.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_ta.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_te.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_th.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_tr.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_uk.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_ur.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_vi.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_zh-CN.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\1.2.203.0\goopdateres_zh-TW.dll
c:\users\Gamelaster\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-09 20:48 . 2012-02-09 20:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-09 19:28 . 2009-03-18 15:35 33856 ---ha-w- c:\windows\system32\hamachi.sys
2012-02-09 19:28 . 2012-02-09 19:28 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi
2012-02-08 18:53 . 2012-02-09 20:47 -------- d-----w- c:\program files (x86)\Your Product
2012-02-08 15:29 . 2012-02-08 15:34 -------- d-----w- c:\programdata\Blizzard Entertainment
2012-02-07 14:44 . 2012-02-07 14:44 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\TortoiseSVN
2012-02-07 13:06 . 2012-02-09 19:26 -------- d-----w- c:\users\Gamelaster\AppData\Local\TSVNCache
2012-02-07 13:06 . 2012-02-07 13:06 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\Subversion
2012-02-06 18:54 . 2012-02-06 18:54 -------- d-----w- c:\program files (x86)\Common Files\TortoiseOverlays
2012-02-06 18:54 . 2012-02-06 18:54 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2012-02-04 16:37 . 2012-02-04 16:41 -------- d-----w- c:\users\Gamelaster\debilina
2012-02-02 16:40 . 2012-02-02 16:40 -------- d-----w- c:\program files (x86)\Common Files\Thraex Software
2012-02-01 16:56 . 2012-02-01 16:56 -------- d-----w- c:\program files (x86)\QipGuard
2012-02-01 16:56 . 2012-02-01 16:56 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\QipGuard
2012-02-01 16:56 . 2012-01-12 11:35 142288 ----a-w- c:\users\Gamelaster\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll
2012-02-01 16:55 . 2012-02-01 16:56 -------- d-----w- c:\program files (x86)\QIP 2012
2012-02-01 16:46 . 2012-02-06 16:02 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\QIP
2012-01-31 05:43 . 2012-01-31 05:43 -------- d-----w- C:\vcs5BGEffects
2012-01-31 05:40 . 2012-01-31 05:54 -------- d-----w- c:\program files (x86)\AV Vcs 6.0 DIAMOND
2012-01-29 18:52 . 2012-02-05 14:32 -------- d-----w- c:\program files (x86)\MTA San Andreas 1.3
2012-01-28 11:18 . 2012-01-28 11:18 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\Screaming Bee
2012-01-28 11:15 . 2012-01-28 11:15 -------- d-----w- c:\program files (x86)\Screaming Bee
2012-01-27 16:10 . 2012-01-27 16:10 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\HideIPPrivacy
2012-01-27 16:10 . 2012-01-27 16:10 -------- d-----w- c:\programdata\HideIPPrivacy
2012-01-24 18:43 . 2012-01-24 18:43 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\SmartHideIP
2012-01-24 18:43 . 2012-01-24 18:43 -------- d-----w- c:\programdata\SmartHideIP
2012-01-24 14:07 . 2012-01-24 14:08 -------- d-----w- C:\Python27
2012-01-18 20:13 . 2012-01-18 20:13 -------- d-----w- c:\programdata\Blumentals
2012-01-18 20:12 . 2012-01-18 20:12 -------- d-----w- c:\program files (x86)\Rapid PHP 2011
2012-01-18 20:12 . 2012-01-18 20:12 -------- d-----w- c:\users\Gamelaster\AppData\Roaming\Blumentals
2012-01-15 18:34 . 2012-01-15 18:34 -------- d-----w- c:\program files\7-Zip
2012-01-13 21:17 . 2012-01-13 21:18 -------- d-----w- c:\users\Gamelaster\AppData\Local\Facebook
2012-01-13 15:56 . 2012-01-13 15:58 -------- d-----w- c:\program files\trend micro
2012-01-13 15:56 . 2012-01-13 15:58 -------- d-----w- C:\rsit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-24 13:28 . 2011-10-28 20:04 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-09 19:36 . 2011-10-30 08:44 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-07 16:04 . 2012-01-07 15:13 2478272 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-11-14 18:32 . 2011-11-14 18:32 627600 ----a-w- c:\windows\system32\deployJava1.dll
2003-03-21 12:45 . 2011-12-20 16:42 250544 ----a-w- c:\program files (x86)\Common Files\keyhelp.ocx
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2011-10-28 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2011-10-28 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-02-09_18.54.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-02-09 19:29 41158 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-09 19:29 42694 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:30 . 2012-02-09 19:39 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2012-01-28 11:16 86016 c:\windows\system32\DriverStore\infpub.dat
- 2011-10-28 19:56 . 2012-02-09 18:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-10-28 19:56 . 2012-02-09 20:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-10-28 19:56 . 2012-02-09 18:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-10-28 19:56 . 2012-02-09 20:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-03 06:30 . 2012-02-09 20:49 12967 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat
- 2011-11-03 06:30 . 2012-02-09 06:20 12967 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat
+ 2011-10-28 19:36 . 2012-02-09 19:29 8962 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2901543845-1208738069-1701217237-1000_UserData.bin
- 2011-10-28 19:36 . 2012-02-09 12:53 8962 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2901543845-1208738069-1701217237-1000_UserData.bin
+ 2012-02-09 20:50 . 2012-02-09 20:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-09 12:51 . 2012-02-09 12:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-09 20:50 . 2012-02-09 20:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-09 12:51 . 2012-02-09 12:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:30 . 2012-01-28 11:16 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-02-09 19:39 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-01-28 11:16 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 05:30 . 2012-02-09 19:39 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:01 . 2012-02-09 06:20 398508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-02-09 20:49 398508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-10 21:10 . 2012-02-09 20:49 1061400 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2012-01-10 21:10 . 2012-02-09 06:20 1061400 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-02-09 19:26 . 2012-02-09 19:26 3849216 c:\windows\Installer\2126a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 19550344]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"Clownfish"="c:\program files (x86)\Clownfish\Clownfish.exe" [2011-12-23 997888]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
"QIP Internet Guardian"="c:\users\Gamelaster\AppData\Roaming\QipGuard\QipGuard.exe" [2012-01-12 191440]
"Infium"="c:\program files (x86)\QIP 2012\qip.exe" [2012-01-12 7320528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 343168]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-07 1987976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 VSPerfDrv100;Performance Tools Driver 10.0;d:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-03-17 68440]
R3 WatAdminSvc;Služba Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-09-08 361984]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-02-07 2343816]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 QipGuard;QipGuard;c:\program files (x86)\QipGuard\QipGuard.exe [2012-01-12 191440]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 10:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901543845-1208738069-1701217237-1000Core.job
- c:\users\Gamelaster\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-30 08:23]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901543845-1208738069-1701217237-1000UA.job
- c:\users\Gamelaster\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-30 08:23]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 4035152]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://search.qip.ru/ie
IE: E&xportovať do programu Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
.
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\windows\SysWOW64\DllHost.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2012-02-09 22:00:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-09 21:00
ComboFix2.txt 2012-02-09 19:02
.
Pre-Run: 8 669 442 048 bytes free
Post-Run: 9 089 085 440 bytes free
.
- - End Of File - - 41168DF5CFE2B4F875BEFCF86BC4B2B8
Upload was successful
Ok, takze problem vobec neprestava. ESET stale nejde, dal som ho odinstalovat no cudom tam je. A stale to nejde... Moj web je cely modry a u chrome mi neukazuje znak + na pridanie tabulky.....
Re: MDM.exe neni vo system32
Napsal: 09 úno 2012 22:15
od Rudy
Re: MDM.exe neni vo system32
Napsal: 09 úno 2012 22:19
od GAMELASTER
Wufff, kolko to asi dela? tam bolo napsane 23 hodin, to hadam ne.. Ci?? Jinak, zitra dodam ten log, ted uz ne..
Re: MDM.exe neni vo system32
Napsal: 09 úno 2012 22:30
od Rudy
To závisí na velikosti disku a rychlosti systému. V každém případě to nechte běžet přes noc.
Re: MDM.exe neni vo system32
Napsal: 11 úno 2012 14:45
od GAMELASTER
Status: Detected (events: 9)
11. 2. 2012 8:33:50 Detected Trojan program Trojan.Win32.Agent2.dbxq C:\Documents and Settings\Gamelaster\Desktop\Marek\Zabavky\SA-MP\fighter_fx72_by_virus.rar//Fighter_FX72_by_ViRuS/FighterFX.exe High
11. 2. 2012 8:52:03 Detected malware HackTool.MSIL.Loic.av C:\Documents and Settings\Gamelaster\Downloads\DDoS.rar//DDoS/Loic/debug/LOIC.exe Medium
11. 2. 2012 8:52:04 Detected malware Flooder.MSIL.Agent.e C:\Documents and Settings\Gamelaster\Downloads\DDoS.rar//DDoS/Loic/LOIC.exe Medium
11. 2. 2012 12:33:45 Detected malware HackTool.MSIL.Loic.av C:\Users\Gamelaster\Downloads\DDoS.rar//DDoS/Loic/debug/LOIC.exe Medium
11. 2. 2012 12:33:47 Detected malware Flooder.MSIL.Agent.e C:\Users\Gamelaster\Downloads\DDoS.rar//DDoS/Loic/LOIC.exe Medium
11. 2. 2012 14:27:04 Detected Trojan program Trojan.Win32.Agent2.dbxq C:\zaloha\Gamelaster\Desktop\Marek\Zabavky\SA-MP\fighter_fx72_by_virus.rar//Fighter_FX72_by_ViRuS/FighterFX.exe High
11. 2. 2012 14:34:37 Detected Trojan program Trojan.Win32.Genome.njkq C:\zaloha\Gamelaster\Desktop\Marek\Zabavky\SA-MP\w4rhookv7_by_virus.rar//w4rhookv7_by_ViRuS/w4r hook v7.dll High
11. 2. 2012 14:34:38 Detected Trojan program Trojan.Win32.Agent2.dbxq C:\zaloha\Gamelaster\Desktop\Marek\Zabavky\SA-MP\w4rhookv7_by_virus.rar//w4rhookv7_by_ViRuS/w4r hook v7.exe High
11. 2. 2012 14:39:02 Detected Trojan program Trojan.Win32.Agent2.dbxq D:\CS\cdhack4.33.4b\cdhack.exe High
Status: Absent (events: 2)
11. 2. 2012 10:36:38 Not found Trojan program Trojan.Win32.Genome.njkq C:\Documents and Settings\Gamelaster\Desktop\Marek\Zabavky\SA-MP\w4rhookv7_by_virus.rar//w4rhookv7_by_ViRuS/w4r hook v7.dll High
11. 2. 2012 10:36:38 Not found Trojan program Trojan.Win32.Agent2.dbxq C:\Documents and Settings\Gamelaster\Desktop\Marek\Zabavky\SA-MP\w4rhookv7_by_virus.rar//w4rhookv7_by_ViRuS/w4r hook v7.exe High
Status: Deleted (events: 6)
11. 2. 2012 8:54:01 Deleted Trojan program Trojan.Win32.Buzus.kxjj C:\Documents and Settings\Gamelaster\Downloads\Facebook.com-IMG432879 (1).exe High
11. 2. 2012 8:54:02 Deleted Trojan program Trojan.Win32.Buzus.kxjj C:\Documents and Settings\Gamelaster\Downloads\Facebook.com-IMG432879.exe High
11. 2. 2012 9:03:02 Deleted Trojan program Trojan-Downloader.Win32.Banload.bmei C:\Documents and Settings\Gamelaster\Downloads\PacSteamT-09-11-2011.exe High
11. 2. 2012 9:03:02 Deleted Trojan program Trojan-Downloader.Win32.Banload.bmei C:\Documents and Settings\Gamelaster\Downloads\PacSteamT-09-11-2011.exe//ForumINFO\PacForum.exe High
11. 2. 2012 10:34:56 Deleted malware HackTool.MSIL.Loic.av C:\Documents and Settings\Gamelaster\Downloads\DDoS\DDoS\Loic\debug\LOIC.exe Medium
11. 2. 2012 10:34:59 Deleted malware Flooder.MSIL.Agent.e C:\Documents and Settings\Gamelaster\Downloads\DDoS\DDoS\Loic\LOIC.exe Medium
Ehm, PacSteam: Je to vir ale ten to udelat nemohl, uz ho pouzivam dlouho. To iste LOIC, HOIC, CDhack a Fighter X.. Takze zostava ten FaceBook...
//EDIT: Kdyz mi zacalo scanovat D: tak sem to vypl, na D: virus 100% neni...
Re: MDM.exe neni vo system32
Napsal: 11 úno 2012 18:09
od GAMELASTER
jinak, ESET stale nejede a chrome blbne..
Re: MDM.exe neni vo system32
Napsal: 11 úno 2012 18:59
od Rudy
Zkuste obě aplikace reinstalovat.
Re: MDM.exe neni vo system32
Napsal: 11 úno 2012 19:20
od GAMELASTER
ESET nejede odinstalovat a jdu skusit Chrome...
Re: MDM.exe neni vo system32
Napsal: 11 úno 2012 19:28
od Rudy