Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

win32/Mebroot.K Trojan

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Odpovědět
Zpráva
Autor
MartinGLX
Návštěvník
Návštěvník
Příspěvky: 4
Registrován: 03 říj 2008 16:55

win32/Mebroot.K Trojan

#1 Příspěvek od MartinGLX »

Dobrý den,

Před necelým týdnem se mi zaviroval počítač. Po chvíli jsem byl nucen ho zformátovat, ale za dva dny po intalaci servis packu 3 se mi systém hroutil ještě víc. Asi po 3 minutách po startu windows plocha zamrzla lépe řečeno tvářila se jako prázdná :| Stáhl jsem si další antivirové programy abych zjistil v čem je svízel. No a konečně NOD32 mi dal odpověď v podobě hlášky:
" win32/Mebroot.K Trojský kůň , MBR sektor 1.fyzického disku"
Nedokázal ho ale vyléčit. Když jsem dal zkontrolovat všechny boot sektory všech disků (a oddílů) tak mi to našlo 5 infiltrací stejného typu.
Spyware doctor ho nenašel. Ani druhý formát oddílu prvního disku nepomohl :roll:
Zkusil jsem vyhledat podobný problém na netu, ale ani prográmek mebroot Trojan removal tool mi nepomohl protože nic nenašel. Proto jsem zkusil zde doporučovaný program hijackthis a tohle mi vypsal:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:51:00, on 3.10.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 2412 bytes

Takže co s tím?? Díky za radu.
Nahoru
Uživatelský avatar
earl
VIP
VIP
Příspěvky: 1279
Registrován: 14 pro 2005 20:59
Bydliště: Brno

Re: win32/Mebroot.K Trojan

#2 Příspěvek od earl »

stahnete MBR



presunte mbr.exe do adresare C:\Windows



dalsi postup jest nasledujici:



Start/Spustit a do chlivecku namiste cmd a stisk Enter.



vybafne na vas okenko prikazoveho radku; vy nadatlujte rucne prikaz:



mbr.exe -f



a stisknete Enter



Po provedeni operace restartujte a spustte mbr jeste jednou, jiz normalne a vlozte sem log
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
ObrázekAKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ObrázekZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
ObrázekNEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
Obrázek Obrázek
Obrázek Obrázek
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Nahoru
MartinGLX
Návštěvník
Návštěvník
Příspěvky: 4
Registrován: 03 říj 2008 16:55

Re: win32/Mebroot.K Trojan

#3 Příspěvek od MartinGLX »

Hotovo tady je výsledek:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:23:04, on 3.10.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 2412 bytes
Nahoru
Uživatelský avatar
earl
VIP
VIP
Příspěvky: 1279
Registrován: 14 pro 2005 20:59
Bydliště: Brno

Re: win32/Mebroot.K Trojan

#4 Příspěvek od earl »

No,ja bych poprosil log z MBR.
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
ObrázekAKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ObrázekZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
ObrázekNEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
Obrázek Obrázek
Obrázek Obrázek
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Nahoru
MartinGLX
Návštěvník
Návštěvník
Příspěvky: 4
Registrován: 03 říj 2008 16:55

Re: win32/Mebroot.K Trojan

#5 Příspěvek od MartinGLX »

Ten mi píše to stejné před i po:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Nahoru
Uživatelský avatar
earl
VIP
VIP
Příspěvky: 1279
Registrován: 14 pro 2005 20:59
Bydliště: Brno

Re: win32/Mebroot.K Trojan

#6 Příspěvek od earl »

rootkit je pryc.
proskenujte pc s CureIt v mem podpise.
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
ObrázekAKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ObrázekZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
ObrázekNEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
Obrázek Obrázek
Obrázek Obrázek
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Nahoru
MartinGLX
Návštěvník
Návštěvník
Příspěvky: 4
Registrován: 03 říj 2008 16:55

Re: win32/Mebroot.K Trojan

#7 Příspěvek od MartinGLX »

No i když mi to psalo tu zprávu tak ho NOD32 ještě našel :wink:

Naštěstí to ale ten váš program potom našel taky:
infikován BackDoor.MaosBoot
a kupodivu dokázal odstranit, takže moc děkuju :)
Nahoru
Uživatelský avatar
earl
VIP
VIP
Příspěvky: 1279
Registrován: 14 pro 2005 20:59
Bydliště: Brno

Re: win32/Mebroot.K Trojan

#8 Příspěvek od earl »

Nemate zac.
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
ObrázekAKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ObrázekZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
ObrázekNEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
Obrázek Obrázek
Obrázek Obrázek
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Nahoru
lukos
Návštěvník
Návštěvník
Příspěvky: 1
Registrován: 27 led 2009 20:19

Re: win32/Mebroot.K Trojan

#9 Příspěvek od lukos »

Dobry den,
take me nepotesila hlaska NODu o tom, ze muj disk byl napaden timto trojanem
zde je log z HT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:17:57, on 27.1.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Need for Speed™ Undercover Registration.lnk = C:\Program Files\EA Games\Need for Speed Undercover\Support\EAregister.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5425 bytes


Mohl by prosim nekdo poradit?
Dekuji
Nahoru
Uživatelský avatar
earl
VIP
VIP
Příspěvky: 1279
Registrován: 14 pro 2005 20:59
Bydliště: Brno

Re: win32/Mebroot.K Trojan

#10 Příspěvek od earl »

stáhněte MBR - http://www2.gmer.net/mbr/mbr.exe ulož ho na plochu>spustte > vytvoří se log mbr.log, vložte ho celý sem.
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
ObrázekAKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ObrázekZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
ObrázekNEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
Obrázek Obrázek
Obrázek Obrázek
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Nahoru
Brucoun
Návštěvník
Návštěvník
Příspěvky: 112
Registrován: 04 kvě 2009 09:42

Re: win32/Mebroot.K Trojan

#11 Příspěvek od Brucoun »

Zdravím,

potřeboval bych pomoc s logem z GMER.

Symantek mi nasel Trojan.Mebroot .. po precteni fory jsem na nej pustil Dr.Web Curelt.
Nasel ho a pry odstranil .... Ale pak ho Symantec znovu nasel.

Pustil jsem tedy GMER a vkladam sem ten log co vyjel ( vubec se v nem nevyznam :( )




GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-04 07:10:25
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT E20770B8 ZwConnectPort
SSDT spfz.sys ZwCreateKey [0xB9EA80E0]
SSDT spfz.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spfz.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spfz.sys ZwOpenKey [0xB9EA80C0]
SSDT spfz.sys ZwQueryKey [0xB9EC7108]
SSDT spfz.sys ZwQueryValueKey [0xB9EC6F88]
SSDT spfz.sys ZwSetValueKey [0xB9EC719A]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0x9BCB56D0]

INT 0x62 ? 89D63BF8
INT 0x63 ? 89BB4F00
INT 0x73 ? 89DCFBF8
INT 0x82 ? 89D63BF8
INT 0x83 ? 89DCFBF8
INT 0xB4 ? 89BB4F00

---- Kernel code sections - GMER 1.0.15 ----

? spfz.sys Systém nemůže nalézt uvedený soubor. !
.text USBPORT.SYS!DllUnload B8D578AC 5 Bytes JMP 89BB44E0
.text avrqnick.SYS B7C17384 1 Byte [20]
.text avrqnick.SYS B7C17384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text avrqnick.SYS B7C173AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text avrqnick.SYS B7C173C4 3 Bytes [00, 00, 00]
.text avrqnick.SYS B7C173C9 1 Byte [00]
.text ...
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Systém nemůže nalézt uvedený soubor. !

---- User code sections - GMER 1.0.15 ----

.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!??2@YAPAXI@Z 77C19CC5 5 Bytes JMP 0A93B250 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!??3@YAXPAX@Z 77C19CDD 5 Bytes JMP 0A93B2A0 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C19D9F 5 Bytes JMP 0A93B2C0 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!_expand 77C19FE5 5 Bytes JMP 0A93B230 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!_heapadd 77C1BC9F 5 Bytes JMP 0A93B310 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!_heapchk 77C1BCB3 5 Bytes JMP 0A93B320 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!_heapset + 1 77C1BD83 4 Bytes JMP 0A93B351 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!_heapmin 77C1BD8C 5 Bytes JMP 0A93B420 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!_heapused 77C1BE3A 5 Bytes JMP 0A93B3F0 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!_heapwalk 77C1BE4D 5 Bytes JMP 0A93B360 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!_msize 77C1BF6C 5 Bytes JMP 0A93B180 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!calloc 77C1C0C3 5 Bytes JMP 0A93B110 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!free 77C1C21B 5 Bytes JMP 0A93B170 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!malloc 77C1C407 5 Bytes JMP 0A93B0D0 C:\WINDOWS\system32\SH33W32.dll
.text C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] msvcrt.dll!realloc 77C1C437 5 Bytes JMP 0A93B150 C:\WINDOWS\system32\SH33W32.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spfz.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spfz.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spfz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spfz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spfz.sys
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\avrqnick.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spfz.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LocalSize] [0A93C2E0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GlobalHandle] [0A93C100] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [0A939F10] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LocalUnlock] [0A93C300] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LocalLock] [0A93C2A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LocalReAlloc] [0A93C2C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GlobalAlloc] [0A93C0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GlobalReAlloc] [0A93C140] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [0A939F90] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [0A93A200] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GlobalFlags] [0A93C0C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GlobalFree] [0A93C0E0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LocalAlloc] [0A93C220] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LocalFree] [0A93C260] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GlobalSize] [0A93C160] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GlobalLock] [0A93C120] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GlobalUnlock] [0A93C180] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [ntdll.dll!RtlAllocateHeap] [0A93B8C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\USER32.dll [ntdll.dll!RtlFreeHeap] [0A93BA00] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LocalReAlloc] [0A93C2C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GlobalLock] [0A93C120] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GlobalUnlock] [0A93C180] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [0A939F10] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LocalFree] [0A93C260] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LocalAlloc] [0A93C220] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!FreeLibrary] [0A93A200] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [0A939F90] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GlobalAlloc] [0A93C0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GlobalSize] [0A93C160] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GlobalFree] [0A93C0E0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [ntdll.dll!RtlAllocateHeap] [0A93B8C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\GDI32.dll [ntdll.dll!RtlFreeHeap] [0A93BA00] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LocalFree] [0A93C260] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LocalAlloc] [0A93C220] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LocalReAlloc] [0A93C2C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcessHeap] [0A93B830] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [0A939F90] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!FreeLibrary] [0A93A200] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [0A939F10] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!RtlFreeHeap] [0A93BA00] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!RtlAllocateHeap] [0A93B8C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!RtlReAllocateHeap] [0A93BA90] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GlobalFree] [0A93C0E0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [0A939F10] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [0A939F90] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [0A93A200] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcessHeap] [0A93B830] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\RPCRT4.dll [ntdll.dll!RtlFreeHeap] [0A93BA00] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\RPCRT4.dll [ntdll.dll!RtlAllocateHeap] [0A93B8C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [0A939F10] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [0A939F90] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] [0A93A200] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LocalFree] [0A93C260] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LocalAlloc] [0A93C220] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\Secur32.dll [ntdll.dll!RtlFreeHeap] [0A93BA00] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\Secur32.dll [ntdll.dll!RtlAllocateHeap] [0A93B8C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [0A939F10] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [0A93A200] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcessHeap] [0A93B830] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!HeapDestroy] [0A93B9C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!HeapCreate] [0A93B960] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!HeapValidate] [0A93BB40] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!HeapCompact] [0A93B930] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!HeapWalk] [0A93BB80] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!HeapCreate] [0A93B960] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcessHeap] [0A93B830] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!HeapDestroy] [0A93B9C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [0A939F10] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GlobalReAlloc] [0A93C140] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LocalSize] [0A93C2E0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GlobalSize] [0A93C160] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GlobalAlloc] [0A93C0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GlobalLock] [0A93C120] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GlobalUnlock] [0A93C180] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GlobalFree] [0A93C0E0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [0A939F90] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [0A93A200] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LocalAlloc] [0A93C220] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LocalFree] [0A93C260] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LocalReAlloc] [0A93C2C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [0A93A010] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHELL32.dll [ntdll.dll!RtlFreeHeap] [0A93BA00] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GlobalUnlock] [0A93C180] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GlobalFree] [0A93C0E0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GlobalAlloc] [0A93C0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GlobalLock] [0A93C120] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [0A93A010] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [0A93A0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [0A939F90] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibrary] [0A93A200] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [0A93A230] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LocalSize] [0A93C2E0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!HeapDestroy] [0A93B9C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!HeapCreate] [0A93B960] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [0A939F10] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LocalReAlloc] [0A93C2C0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LocalAlloc] [0A93C220] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LocalFree] [0A93C260] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [0A939F10] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] [0A93A200] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [0A939F90] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] [0A93C180] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] [0A93C120] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] [0A93B830] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!HeapValidate] [0A93BB40] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!HeapCompact] [0A93B930] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LocalAlloc] [0A93C220] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LocalFree] [0A93C260] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [0A93A0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibraryAndExitThread] [0A93A230] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [0A93A010] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalFree] [0A93C0E0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] [0A93C0A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalSize] [0A93C160] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalReAlloc] [0A93C140] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LocalUnlock] [0A93C300] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LocalLock] [0A93C2A0] C:\WINDOWS\system32\SH33W32.dll
IAT C:\Corel\Graphics8\Programs\MFIndexer.exe[1684] @ C:\WINDOWS\system32\ole32.dll [ntdll.dll!RtlFreeHeap] [0A93BA00] C:\WINDOWS\system32\SH33W32.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89DCE1F8

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \FatCdrom 88932500

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{49B7808E-C826-48B0-8DCD-17D32282BB6E} 897EF500
Device \Driver\usbohci \Device\USBPDO-0 89BA4500
Device \Driver\usbehci \Device\USBPDO-1 89B74500
Device \Driver\NetBT \Device\NetBT_Tcpip_{14217C79-DF98-4835-8813-19C59AF3B74E} 897EF500

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\nvata \Device\00000070 89DCF1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89D641F8
Device \Driver\nvata \Device\00000071 89DCF1F8
Device \Driver\sptd \Device\1378489512 spfz.sys
Device \Driver\Cdrom \Device\CdRom0 899CC1F8
Device \Driver\Cdrom \Device\CdRom1 899CC1F8
Device \Driver\Cdrom \Device\CdRom2 899CC1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 897EF500
Device \Driver\NetBT \Device\NetbiosSmb 897EF500
Device \Driver\PCI_PNP4512 \Device\0000004e spfz.sys

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbohci \Device\USBFDO-0 89BA4500
Device \Driver\usbehci \Device\USBFDO-1 89B74500
Device \Driver\nvatabus \Device\NvAta0 89D631F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 897EA500
Device \Driver\nvata \Device\NvAta1 89DCF1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 897EA500
Device \Driver\nvata \Device\NvAta2 89DCF1F8
Device \Driver\Ftdisk \Device\FtControl 89D641F8
Device \Driver\avrqnick \Device\Scsi\avrqnick1Port3Path0Target0Lun0 899831F8
Device \Driver\avrqnick \Device\Scsi\avrqnick1Port3Path0Target1Lun0 899831F8
Device \Driver\avrqnick \Device\Scsi\avrqnick1 899831F8
Device \FileSystem\Fastfat \Fat 88932500

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs 89873500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7C 0x72 0xEE 0x1A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x20 0x96 0xC8 0x12 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCF 0x29 0x34 0xD8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x57 0x58 0x7A 0x9D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x69 0x94 0x07 0x94 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD6 0xA5 0xCE 0xC6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x86 0x0D 0x49 0x2C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7C 0x72 0xEE 0x1A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x20 0x96 0xC8 0x12 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCF 0x29 0x34 0xD8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x57 0x58 0x7A 0x9D ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x1d1c06c0 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----



je to nejak dlouhe :(


Predem diky za radu
Nahoru
Uživatelský avatar
earl
VIP
VIP
Příspěvky: 1279
Registrován: 14 pro 2005 20:59
Bydliště: Brno

Re: win32/Mebroot.K Trojan

#12 Příspěvek od earl »

Zdravim,

priste radeji vytvorte nove tema se svym logem,at to nezapadne mezi zodpovezene veci,diky.

:arrow: stahnete MBR

presunte mbr.exe do adresare C:\Windows

dalsi postup jest nasledujici:

Start/Spustit a do chlivecku napiste cmd a stisk Enter.

vybafne na vas okenko prikazoveho radku; vy nadatlujte rucne prikaz:

mbr.exe -f

a stisknete Enter

Po provedeni operace restartujte a spustte mbr jeste jednou, jiz normalne z plochy a vlozte sem log.

:arrow: Stahnete GMER (gmer.zip), rozbalte a spustte
probehne sken, po jehoz ukonceni na vas vyskoci vysledky,
pote kliknete na Save a ulozite tak oba logy, jejichz obsah sem vlozte
V pripade potizi je k dispozici navod v mem podpisu-GMER.
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
ObrázekAKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ObrázekZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
ObrázekNEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
Obrázek Obrázek
Obrázek Obrázek
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Nahoru
Brucoun
Návštěvník
Návštěvník
Příspěvky: 112
Registrován: 04 kvě 2009 09:42

Re: win32/Mebroot.K Trojan

#13 Příspěvek od Brucoun »

tak davam logy:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1d1c06c0 size 0x1fd !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C06C0 !


a z gmer:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-04 20:07:32
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT E18C68D0 ZwConnectPort
SSDT sprg.sys ZwCreateKey [0xB9EA80E0]
SSDT sprg.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT sprg.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT sprg.sys ZwOpenKey [0xB9EA80C0]
SSDT sprg.sys ZwQueryKey [0xB9EC7108]
SSDT sprg.sys ZwQueryValueKey [0xB9EC6F88]
SSDT sprg.sys ZwSetValueKey [0xB9EC719A]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0x9D5516D0]

INT 0x62 ? 89D63BF8
INT 0x63 ? 89CE2BF8
INT 0x73 ? 89DCFBF8
INT 0x82 ? 89D63BF8
INT 0x83 ? 89DCFBF8
INT 0xB4 ? 89CE2BF8

---- Kernel code sections - GMER 1.0.15 ----

? sprg.sys Systém nemůže nalézt uvedený soubor. !
.text USBPORT.SYS!DllUnload B8C9F8AC 5 Bytes JMP 89CE21D8
.text ar20ldn7.SYS B7B5F384 1 Byte [20]
.text ar20ldn7.SYS B7B5F384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text ar20ldn7.SYS B7B5F3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text ar20ldn7.SYS B7B5F3C4 3 Bytes [00, 00, 00]
.text ar20ldn7.SYS B7B5F3C9 1 Byte [00]
.text ...
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Systém nemůže nalézt uvedený soubor. !
? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys Systém nemůže nalézt uvedený soubor. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] sprg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] sprg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] sprg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] sprg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] sprg.sys
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\ar20ldn7.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] sprg.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89DCE1F8

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \FatCdrom 898FB1F8

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{49B7808E-C826-48B0-8DCD-17D32282BB6E} 8995A500
Device \Driver\usbohci \Device\USBPDO-0 89B901F8
Device \Driver\usbehci \Device\USBPDO-1 89B9C1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{14217C79-DF98-4835-8813-19C59AF3B74E} 8995A500

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 89D641F8
Device \Driver\nvata \Device\00000071 89DCF1F8
Device \Driver\Cdrom \Device\CdRom0 89BD31F8
Device \Driver\nvata \Device\00000072 89DCF1F8
Device \Driver\Cdrom \Device\CdRom1 89BD31F8
Device \Driver\Cdrom \Device\CdRom2 89BD31F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8995A500
Device \Driver\NetBT \Device\NetbiosSmb 8995A500
Device \Driver\USBSTOR \Device\00000079 898F2500
Device \Driver\PCI_PNP9856 \Device\0000004f sprg.sys

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbohci \Device\USBFDO-0 89B901F8
Device \Driver\nvatabus \Device\NvAta0 89D631F8
Device \Driver\usbehci \Device\USBFDO-1 89B9C1F8
Device \Driver\USBSTOR \Device\0000007a 898F2500
Device \Driver\sptd \Device\3838754856 sprg.sys
Device \Driver\nvata \Device\NvAta1 89DCF1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8983E500
Device \Driver\nvata \Device\NvAta2 89DCF1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8983E500
Device \Driver\Ftdisk \Device\FtControl 89D641F8
Device \Driver\ar20ldn7 \Device\Scsi\ar20ldn71 899BD1F8
Device \Driver\ar20ldn7 \Device\Scsi\ar20ldn71Port3Path0Target0Lun0 899BD1F8
Device \Driver\ar20ldn7 \Device\Scsi\ar20ldn71Port3Path0Target1Lun0 899BD1F8
Device \FileSystem\Fastfat \Fat 898FB1F8

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs 897DB500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7C 0x72 0xEE 0x1A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x20 0x96 0xC8 0x12 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCF 0x29 0x34 0xD8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x57 0x58 0x7A 0x9D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x69 0x94 0x07 0x94 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD6 0xA5 0xCE 0xC6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x86 0x0D 0x49 0x2C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7C 0x72 0xEE 0x1A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x20 0x96 0xC8 0x12 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCF 0x29 0x34 0xD8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x57 0x58 0x7A 0x9D ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x1d1c06c0 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

tak jak to vidis ???
Nahoru
Brucoun
Návštěvník
Návštěvník
Příspěvky: 112
Registrován: 04 kvě 2009 09:42

Re: win32/Mebroot.K Trojan

#14 Příspěvek od Brucoun »

No ted jsem pustil Dr. Web CureIt a po par minutach scanovani se mi objevila modra obrazovka :( S hlaskou ze byly zjisteny potize .......

DRIVER_IRQL_NOT_LESS_OR_EQUAL

a pak ty obvykle kecy :(
Nahoru
Brucoun
Návštěvník
Návštěvník
Příspěvky: 112
Registrován: 04 kvě 2009 09:42

Re: win32/Mebroot.K Trojan

#15 Příspěvek od Brucoun »

po restartu jsem pustil Dr. CureIt i Symantec a zatim nic nenasli tak doufam ze to bude v pohode. Jen mrkni prosím na ty logy ... vubec nevim jak se v nem orientovat .. Hele kdyby tam neco bylo tak to hodi hlasku a vypise to ten radek cervene ??

Dík za radu
Nahoru
Odpovědět

Zpět na „Řešení problémů, logy“