zase ROOTKIT

[brankar]

DOBRÝ DEN PROSÍM O KONTROLU COMBO FIX ZACHITIL ZASE ROTKITA

TADY JE LOG



ComboFix 09-11-20.02 - user 21.11.2009 12:00.29.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.511.259 [GMT 1:00]
Spuštěný z: c:\documents and settings\user\Dokumenty\kikikikikikikikikikikiiá\ComboFix.exe
AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Smart-Ads-Solutions
c:\program files\Smart-Ads-Solutions\SmartAds\1.1.2.0\uninstall.exe
c:\windows\system32\drivers\pciide.sys
c:\windows\system32\evlytniofgwbysq.exe

c:\windows\System32\Drivers\vax347s.sys . . . je infikován!!

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT
-------\Service_RkHit


((((((((((((((((((((((((( Soubory vytvořené od 2009-10-21 do 2009-11-21 )))))))))))))))))))))))))))))))
.

2009-11-21 10:52 . 2008-04-14 12:00 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-21 10:52 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-20 12:00 . 2009-11-20 12:00 -------- d-----w- c:\program files\ezLife
2009-11-20 10:43 . 2009-11-20 13:44 -------- d-----w- c:\program files\Registry Easy
2009-11-19 12:31 . 2009-11-19 12:31 -------- d-----w- c:\program files\EMCO
2009-11-17 18:00 . 2009-11-20 11:10 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2009-11-17 16:39 . 2009-11-17 17:25 -------- d-----w- c:\program files\Bus Simulator
2009-11-16 08:42 . 2009-11-16 08:42 286720 ----a-w- c:\windows\system32\wmllyzdn.dll
2009-11-16 08:42 . 2009-11-16 08:42 290304 ----a-w- c:\windows\system32\svtomugm.dll
2009-11-14 11:02 . 2009-11-14 11:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-14 10:59 . 2009-11-20 11:07 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2009-11-14 10:57 . 2009-11-14 10:57 -------- d-sh--w- c:\documents and settings\user\IETldCache
2009-11-14 10:47 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-14 10:45 . 2009-11-14 10:49 -------- d-----w- c:\windows\ie8updates
2009-11-14 10:40 . 2009-08-29 07:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-14 10:40 . 2009-08-29 07:58 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-14 10:40 . 2009-08-29 07:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-14 10:40 . 2009-08-29 07:58 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-11-14 10:40 . 2009-08-29 07:58 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-14 10:40 . 2009-08-29 07:58 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-11-14 10:37 . 2009-11-14 10:40 -------- dc-h--w- c:\windows\ie8
2009-11-14 09:07 . 2009-11-14 09:07 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-14 09:07 . 2009-11-14 09:07 -------- d-----w- c:\program files\MSBuild
2009-11-14 09:07 . 2009-11-14 09:07 -------- d-----w- c:\program files\Reference Assemblies
2009-11-14 09:06 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-14 09:06 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-14 09:06 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-14 09:06 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-14 09:06 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-14 09:06 . 2009-11-14 09:07 -------- d-----w- C:\f3cc40b8cb9f581d2518b62b
2009-11-14 09:06 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-14 09:06 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-12 14:43 . 2009-11-12 14:45 -------- d-----w- c:\program files\Euro Truck Simulator
2009-11-05 13:42 . 2000-08-19 18:29 268048 ----a-w- c:\windows\system32\dxtmeta2.dll
2009-11-04 16:22 . 2009-11-04 16:23 -------- d-----w- c:\program files\Landwirtschafts-Simulator 2009
2009-10-28 13:45 . 2009-10-28 13:45 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-26 16:26 . 2004-04-30 08:33 5248 ------w- c:\windows\system32\drivers\vax347s.sys
2009-10-26 12:45 . 2009-10-26 12:45 -------- d-----w- c:\program files\Microsoft Games
2009-10-25 11:12 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-25 11:12 . 2009-11-10 19:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 11:12 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 11:52 . 2009-10-24 12:00 -------- d--h--w- c:\program files\Zero G Registry
2009-10-24 11:51 . 2009-10-24 11:51 -------- d--h--w- c:\documents and settings\user\InstallAnywhere

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 20:04 . 2009-09-30 12:41 397312 ----a-w- c:\windows\system32\fpextqfzyboo.dll
2009-11-18 09:41 . 2009-04-21 08:57 171552 ----a-w- c:\windows\system32\guard32.dll
2009-11-18 09:41 . 2009-04-21 08:57 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-11-18 09:41 . 2009-04-21 08:57 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-18 09:41 . 2009-04-21 08:57 132808 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-17 15:06 . 2008-10-17 21:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-14 09:39 . 2006-03-02 12:00 91866 ----a-w- c:\windows\system32\perfc005.dat
2009-11-14 09:39 . 2006-03-02 12:00 469558 ----a-w- c:\windows\system32\perfh005.dat
2009-11-12 13:07 . 2009-07-12 08:52 -------- d-----w- c:\program files\Fifa Master
2009-11-12 12:31 . 2008-10-26 06:54 -------- d-----w- c:\program files\EA Sports
2009-11-09 13:15 . 2009-10-10 16:24 -------- d-----w- c:\program files\Electronic Arts
2009-10-31 15:19 . 2008-12-22 17:42 -------- d-----w- c:\program files\Sports Interactive
2009-10-23 04:21 . 2009-10-17 05:23 -------- d-----w- c:\program files\Ares
2009-10-22 10:29 . 2009-10-22 10:21 3773087 ----a-w- c:\windows\REGBK05.ZIP
2009-10-21 14:35 . 2009-10-21 14:35 -------- d-----w- c:\program files\2K Sports
2009-10-17 10:40 . 2009-10-16 12:48 -------- d-----w- c:\program files\Freeware PDF Unlocker
2009-10-16 14:12 . 2009-10-16 14:12 -------- d-----w- c:\program files\Intelore
2009-10-14 08:30 . 2009-10-14 08:30 -------- d-----w- c:\program files\7-Zip
2009-10-11 16:36 . 2009-05-18 11:09 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-10-10 17:15 . 2009-10-10 17:15 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-10 04:54 . 2009-10-10 04:53 5073806 ----a-w- c:\windows\REGBK04.ZIP
2009-10-04 14:06 . 2009-10-03 14:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-03 15:27 . 2009-10-03 15:27 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-02 20:41 . 2009-10-02 20:39 5067769 ----a-w- c:\windows\REGBK03.ZIP
2009-10-02 19:49 . 2009-05-07 08:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-21 09:59 . 2009-09-21 09:58 5076455 ----a-w- c:\windows\REGBK02.ZIP
2009-09-11 14:19 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:05 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 15:44 . 2009-10-20 16:35 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 15:44 . 2009-10-20 16:35 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 15:44 . 2009-04-13 17:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 15:29 . 2009-10-20 16:35 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 15:29 . 2009-10-20 16:35 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 15:29 . 2009-10-20 16:35 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 15:29 . 2009-10-20 16:35 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 15:29 . 2009-10-20 16:35 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-29 07:58 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:02 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D36201E-9190-4A6B-A776-27C381A5B96D}]
2009-11-16 08:42 290304 ----a-w- c:\windows\system32\svtomugm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5948A52A-BA3A-49A8-BCAF-D578502BDA9D}]
2009-07-27 15:48 330752 ----a-w- c:\documents and settings\user\Data aplikací\Messenger\Drivers\MsgUpdate.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{815F6964-C399-DA2E-2188-4E353655EFDD}]
2009-11-18 20:04 397312 ----a-w- c:\windows\system32\fpextqfzyboo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0873976-C5D1-498B-B0C9-6B47624109FB}]
2009-11-16 08:42 286720 ----a-w- c:\windows\system32\wmllyzdn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxSys"="c:\documents and settings\user\Data aplikací\Messenger\Drivers\IgfxSys.dll" [2009-07-27 186368]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-11-18 1800464]
"jafeypukewazc"="c:\windows\system32\fpextqfzyboo.dll" [2009-11-18 397312]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-08-30 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^user^Nabídka Start^Programy^Po spuštění^FIFA 10 Registration.lnk]
backup=c:\windows\pss\FIFA 10 Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\2K Sports\\NBA 2K10\\nba2k10.exe"=
"c:\\Documents and Settings\\user\\Dokumenty\\košikova nba\\nba2k10.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [27.1.2009 10:14 64160]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10.10.2009 18:15 721904]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [21.4.2009 9:57 132808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17.2.2009 10:43 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17.2.2009 10:43 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17.2.2009 10:43 7408]

--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2
.
Obsah adresáře 'Naplánované úlohy'

2009-11-20 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-10-04 18:39]
.
.
------- Doplňkový sken -------
.
uDefault_Search_URL = hxxp://www.google.com
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {7E1B775D-FB9F-4945-8B6B-60D8BA4F52C7} = 10.1.1.1
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-evlytniofgwbysq - c:\windows\system32\evlytniofgwbysq.exe
AddRemove-Smart-Ads-Solutions - c:\program files\Smart-Ads-Solutions\SmartAds\1.1.2.0\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-21 12:20
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8278A8D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
\Driver\ACPI -> ACPI.sys @ 0xf8316cb8
\Driver\atapi -> 0x8278a8d0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf81dbbd4
PacketIndicateHandler -> NDIS.sys @ 0xf81c9a0d
SendHandler -> NDIS.sys @ 0xf81ddb40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1580818891-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1409082233-1580818891-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b7,4a,67,15,5b,a9,6a,5b,cd,e9,29,0d,e8,6d,03,26,ab,ed,d4,03,b1,05,91,
9e,12,18,64,cd,52,6a,9b,30,35,dd,39,6d,c6,2c,07,28,e0,cc,4d,3d,fe,d3,a7,b4,\
"??"=hex:8a,95,0c,91,36,dd,90,2c,2c,e3,05,7a,7a,8f,80,cc

[HKEY_USERS\S-1-5-21-1409082233-1580818891-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:fc,f7,b4,e1,1a,0b,8d,1a,2e,05,40,9a,99,2b,d2,8c,d8,5f,96,56,75,
10,34,70,af,7e,01,cb,a4,bb,cf,55,2f,90,0b,28,85,40,55,ae,54,8b,2f,81,7b,89,\
"rkeysecu"=hex:c4,98,f8,f2,a3,e0,a8,86,3b,5f,9f,89,b6,9f,0a,07
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3708)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\regsvr32.exe
c:\windows\system32\rundll32.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Celkový čas: 2009-11-21 12:28 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-11-21 11:28

Před spuštěním: Volných bajtů: 65 529 892 864
Po spuštění: Volných bajtů: 65 442 041 856

Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 3A848C0F309CB0571BBAA4CE73AA7B4D

[earl]

Zdravim,

jeste poprosim o tento krok:

Stahnete GMER , rozbalte a spustte
probehne sken, po jehoz ukonceni na vas vyskoci vysledky
pote kliknete na Save a ulozite tak log, jehoz obsah sem vlozte
pote dle tohoto navodu absolvujte druhy sken a opet obsah logu sem.

[brankar]

stahnul jsem tento program beží tak 5vteřin a potom to hodí chybu s pamětí nelze provést operaci

[earl]

Stahnete Rootkit Revealer

Rozbalte ZIP archiv a spustte aplikaci.

Kliknete na tlacitko Scan a po dokonceni scanu kliknete na File - Save a ulozeny log vlozte sem.

[brankar]

TADY JE LOG

HKU\.DEFAULT\Control Panel\International 8.6.2009 7:34 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 8.6.2009 7:34 0 bytes Security mismatch.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Console 21.11.2009 12:28 0 bytes Security mismatch.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Control Panel\International 8.6.2009 7:34 0 bytes Security mismatch.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Control Panel\International\Geo 8.6.2009 7:34 0 bytes Security mismatch.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\652\Shell\MinPos1024x768(1).x 21.11.2009 15:40 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\652\Shell\MinPos1024x768(1).y 21.11.2009 15:40 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\652\Shell\WinPos1024x768(1).left 21.11.2009 15:40 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\652\Shell\WinPos1024x768(1).top 21.11.2009 15:40 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\652\Shell\WinPos1024x768(1).right 21.11.2009 15:40 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\652\Shell\WinPos1024x768(1).bottom 21.11.2009 15:40 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\Bags\652\Shell\ItemPos1024x768(1) 21.11.2009 15:40 604 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 31.8.2009 9:59 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\SecuROM\License information* 21.10.2009 14:58 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\WinRAR\General\Toolbar\Layout\Band0 21.11.2009 15:33 56 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\WinRAR\General\Toolbar\Layout\Band1 21.11.2009 15:33 56 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-1409082233-1580818891-839522115-1004\Software\WinRAR\General\Toolbar\Layout\Band2 21.11.2009 15:33 56 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-18\Control Panel\International 8.6.2009 7:34 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 8.6.2009 7:34 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 17.10.2008 22:28 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 17.10.2008 22:28 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\swearware\backup\winsock2 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018 20.7.2009 12:28 0 bytes Security mismatch.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 26.10.2009 17:20 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Services\vax347s\Config\jdgg40 6.3.2009 13:47 0 bytes Hidden from Windows API.
C:\Documents and Settings\user\Data aplikací\Sports Interactive\Installer Launcher \cache 22.12.2008 18:24 0 bytes Hidden from Windows API.
C:\Documents and Settings\user\Data aplikací\Sports Interactive\Installer Launcher \logs 22.12.2008 18:24 0 bytes Hidden from Windows API.
C:\Documents and Settings\user\Data aplikací\Sports Interactive\Installer Launcher \settings 22.12.2008 18:24 0 bytes Hidden from Windows API.
C:\Documents and Settings\user\Data aplikací\Sports Interactive\Installer Launcher \temporary 22.12.2008 18:24 0 bytes Hidden from Windows API.
C:\Documents and Settings\user\Data aplikací\Sports Interactive\Installer Launcher\cache 22.12.2008 18:24 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\user\Data aplikací\Sports Interactive\Installer Launcher\logs 22.12.2008 18:24 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\user\Data aplikací\Sports Interactive\Installer Launcher\settings 22.12.2008 18:24 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\user\Data aplikací\Sports Interactive\Installer Launcher\temporary 22.12.2008 18:24 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\msgasst84.dll 21.11.2009 11:36 399.50 KB Hidden from Windows API.
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\msgasst84.dll.info 21.11.2009 11:36 228 bytes Hidden from Windows API.
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\PrivacyEraser.exe 20.11.2009 11:16 719.50 KB Hidden from Windows API.
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\PrivacyEraser.exe.info 20.11.2009 11:16 210 bytes Hidden from Windows API.

[earl]

V zadnem pripade nerestartujte pc!

Napisi vam postup,co dal.

[earl]

Stáhněte si CF-DeQuarantine a uložte ho na plochu - http://download.bleepingcomputer.com/sU ... antine.exe

- Najděte na disku tyto soubory a složky:

<Vypíší se kompletní cesty k souborům a složkám v Qooboxu.>

c:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir

- Postupně po jednom každý soubor a složku uchopte, přetáhněte je nad stažený CF-DeQuarantine a po překrytí je pusťte.

- Tohle obnoví soubory a složky z karantény ComboFixu do původního umístění.

Az to budete mit,napiste.

[earl]

Dale bude treba udelat nasledujici kroky:

otestujte na VIRUSTOTALu

c:\windows\System32\Drivers\vax347s.sys

c:\windows\system32\dllcache\atapi.sys

c:\windows\system32\drivers\atapi.sys

c:\windows\system32\dxtmeta2.dll

c:\documents and settings\user\Data aplikací\Messenger\Drivers\IgfxSys.dll

(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledek sem vlozte)

Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.

Stahnete MBR ulozte ho na plochu-spustte - vytvori se log mbr.log, vlozte ho cely sem.

[brankar]

HLASÍ TO ŽE
c:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir ODKAZUJE NA UMÍSTENI KTERE NENI JIŽ K DYSPOZICI, UMÍSTĚNÍ MUŽE BYT NA PEVNÉM DYSKU NEBO V SÍTI

[brankar]

TADYJE TEST VIRUSTOTALu
VLOŽIL JSEM JE CO JSOU INFIKOVANÝ


http://www.virustotal.com/cs/analisis/b ... 1258818835

[brankar]

http://www.virustotal.com/cs/analisis/b ... 1258818963

[brankar]

http://www.virustotal.com/cs/analisis/e ... 1258819192

[earl]

Bude treba obnovit soubor c:\windows\system32\drivers\pciide.sys,jinak vam po vypnuti pc nepujde spustit.

Bohuzel musim za chvili odejit a budu tu az zitra,takze pokud se vam nepovede nasledujici krok,pc nevypinejte.

1. Restartujte počítač.
2. Po restartu budete vyzváni, abyste si vybrali, který operační systém chcete spustit - vyberte položku: Konzola pro zotavení systému Microsoft Windows.
3. Zadejte, ke které instalaci Windows se chcete přihlásit - stiskněte 1 a potvrďte klávesou Enter.
4. Zadejte heslo administrátora počítače a stiskněte Enter.
5. Do příkazového řádku napište tuto cestu: cd erdnt\hiv-backup <nebo> cd erdnt\subs a potvrďte klávesou Enter.
6. Poté zadejte tento příkaz: batch erdnt.con a stiskněte Enter.
7. Nakonec napište tento příkaz: exit a potvrďte Enterem. Tohle ukončí Konzoli pro zotavení a restartuje počítač.

[earl]

Pokud se vam povede predchozi krok,udelejte dale toto:

Stahnete si OTMoveIt3 , spustte (pokud mate vistu spuste run as administrator) a
do leveho policka se zlutym hornim okrajem Paste Instructions for Items to be Moved zkopirujte toto:

Kód: Vybrat vše

:processes
explorer.exe
:file
c:\windows\system32\wmllyzdn.dll
c:\windows\system32\svtomugm.dll
c:\windows\system32\fpextqfzyboo.dll
:reg
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D36201E-9190-4A6B-A776-27C381A5B96D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{815F6964-C399-DA2E-2188-4E353655EFDD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0873976-C5D1-498B-B0C9-6B47624109FB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jafeypukewazc"=-
:reg
:commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[reboot]

Kliknete na MoveIt, v okne se zelenym hornim okrajem Results se objevi vysledek,obsah okna zkopirujte sem. Kdyby OTMoveIt vyzadoval restart - povolit. Nasledujici log najdete v C:\_OTMoveIt\MovedFiles\xxxxx.log (x je zastupny znak) ktery otevrete v poznamkovem bloku.

[brankar]

prosímtě jak mám udelat na klavesnici obracena lomítka cd erdnt\hiv-backup <nebo> cd erdnt\subs . musím přepnout do AN VERZE