Strašne zavírovaný PC
Napsal: 12 led 2010 15:20
caute na jedno warez fore mi napisali ze moj pc sa neda zachranit...ze mam pouzit format vsetkych diskov usb...atd...ze nemam nic zalohovat...je to vazne nutne ? pretoze to by som neprezil...mazat data ktore su potrebne...
tu je LOG z COMBOFIX
------- Sigcheck -------
[-] 2010-01-12 . 558635D3AF1C7546D26067D5D9B6959E . 212480 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-01-12 . 558635D3AF1C7546D26067D5D9B6959E . 212480 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
[-] 2010-01-12 . C05A121770C1D529989825AB020928B1 . 577024 . . [5.1.2600.2622] . . c:\windows\system32\user32.DLL
[-] 2010-01-12 . C05A121770C1D529989825AB020928B1 . 577024 . . [5.1.2600.2622] . . c:\windows\system32\dllcache\user32.dll
[-] 2005-06-14 . DDA1222162157556839DB1A768C146A7 . 45056 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe
[-] 2005-06-14 . 66F11BC4E6E14BED84C25DF0EE281411 . 45056 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe
[-] 2005-06-14 . 7B16ED28C2C0DCC2B127FD9F84A3E75E . 33792 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
[-] 2005-06-14 . 54B44D88472B070FDB8113B86DC84266 . 34304 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\wscntfy.exe
[-] 2010-01-12 13:50 . B5E8B5FEF36C95FAF55F14504738D502 . 153476 . . [------] . . c:\windows\system32\ctfmon.exe
[-] 2005-06-14 . 2B91BC834D066E7723C38EBC1A3434CC . 35840 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdrzli"="c:\windows\system32\msptfpxi.dll" [N/A]
"P17Helper"="P17.dll" [2005-05-03 64512]
"UpdReg"="c:\windows\UpdReg.EXE" [2010-01-12 153476]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2010-01-12 153476]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-01-12 153476]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2010-01-12 153476]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"vkqzej"="c:\windows\system32\msjuehus.dll" [N/A]
"imPlayok"="c:\windows\system32\imPlayok.exe" [N/A]
"reader_s"="c:\windows\System32\reader_s.exe" [N/A]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2010-01-12 153476]
"reader_s"="c:\documents and settings\emitor\reader_s.exe" [N/A]
"imPlayok"="c:\documents and settings\emitor\imPlayok.exe" [N/A]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^emitor^Start Menu^Programs^Startup^Psi.lnk]
path=c:\documents and settings\emitor\Start Menu\Programs\Startup\Psi.lnk
backup=c:\windows\pss\Psi.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Psi\\psi.exe"=
R3 tcpsr;tcpsr;\??\c:\windows\System32\drivers\tcpsr.sys --> c:\windows\System32\drivers\tcpsr.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - TCPSR
.
.
------- Supplementary Scan -------
.
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 15:05
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\drivers\zffuxypylldyj1.sys 81152 bytes executable
c:\windows\system32\drivers\zvyokboooku3.sys 81152 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x89BC2530]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf10
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xba6887b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a01b0
ParseProcedure -> ntoskrnl.exe @ 0x8056f18e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a01b0
ParseProcedure -> ntoskrnl.exe @ 0x8056f18e
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0x89b4faf9
PacketIndicateHandler -> NDIS.sys @ 0x89b5ab21
SendHandler -> NDIS.sys @ 0x89b4f938
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zffuxypylldyj1]
"ImagePath"="system32\drivers\zffuxypylldyj1.sys"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zvyokboooku3]
"ImagePath"="system32\drivers\zvyokboooku3.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(664)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(1100)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\docume~1\emitor\locals~1\temp\wmpscfgs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\windows\TEMP\VRT2.tmp
c:\windows\system32\Rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\Rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\nwiz.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-01-12 15:06:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 14:06
Pre-Run: 11 113 381 888 bytes free
Post-Run: 11 110 281 216 bytes free
- - End Of File - - 63AF0A8C8FC643EFD17C4D40FD5E142B
[/code]
tu je LOG z COMBOFIX
Kód: Vybrat vše
ComboFix 10-01-11.03 - emitor . 01. 2010 14:55:29.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.2047.1686 [GMT 1:00]
Running from: c:\documents and settings\emitor\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\emitor\LOCALS~1\Temp\init.exe
c:\documents and settings\emitor\Application Data\avdrn.dat
c:\documents and settings\emitor\Application Data\wiaservg.log
c:\documents and settings\emitor\implayok .exe
c:\documents and settings\emitor\implayok.exe
c:\documents and settings\emitor\Local Settings\Temp\init.exe
c:\documents and settings\emitor\nwiz .exe
c:\documents and settings\emitor\nwiz.exe
c:\documents and settings\emitor\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\emitor\reader_s .exe
c:\documents and settings\emitor\reader_s.exe
c:\documents and settings\emitor\rundll32 .exe
c:\documents and settings\emitor\rundll32.exe
c:\documents and settings\emitor\Start Menu\Programs\Startup\ihaupd32.exe
c:\documents and settings\emitor\Start Menu\Programs\Startup\updxsp32.exe
c:\program files\Internet Explorer\wmpscfgs.exe
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811
c:\recycler\S-1-5-21-0310527904-8820537321-609756522-6066
c:\recycler\S-1-5-21-8324223848-1432359928-135310210-9120
c:\recycler\S-1-5-21-8324223848-1432359928-135310210-9120\Desktop.ini
c:\recycler\S-1-5-21-8324223848-1432359928-135310210-9120\wnzip32.exe
c:\windows\ccdrive32 .exe
c:\windows\ccdrive32.exe
c:\windows\Fonts\mlog
c:\windows\Fonts\services.exe
c:\windows\irc.txt
c:\windows\kb913800.exe
c:\windows\system32\11220101436.dll
c:\windows\system32\112201014418.dll
c:\windows\system32\2275,965.exe
c:\windows\system32\3196,375.exe
c:\windows\system32\4789,393.exe
c:\windows\system32\6to4ex.dll
c:\windows\system32\7025,568.exe
c:\windows\system32\7244,684.exe
c:\windows\system32\731,1648.exe
c:\windows\system32\BtwSrv.dll
c:\windows\system32\cooper.mine
c:\windows\system32\ctfmon .exe
c:\windows\system32\Data
c:\windows\system32\drivers\nukqttim.sys
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\implayok .exe
c:\windows\system32\imPlayok.exe
c:\windows\system32\Install.txt
c:\windows\system32\kbdsock.dll
c:\windows\system32\kzp.4e
c:\windows\system32\lsm32.sys
c:\windows\system32\mshlps.dll
c:\windows\system32\msjuehus.dll
c:\windows\system32\msptfpxi.dll
c:\windows\system32\nmklo.dll
c:\windows\system32\nwiz .exe
c:\windows\system32\opeia.exe
c:\windows\system32\reader_s .exe
c:\windows\system32\reader_s.exe
c:\windows\system32\regedit.exe
c:\windows\system32\rth.gde
c:\windows\system32\rundll32 .exe
c:\windows\TEMP\mta13187.dll
c:\windows\updreg .exe
Infected copy of c:\windows\regedit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\regedit.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\explorer.exe
Infected copy of c:\windows\hh.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\hh.exe
Infected copy of c:\windows\TASKMAN.EXE was found and disinfected
Restored copy from - c:\windows\system32\dllcache\TASKMAN.EXE
Infected copy of c:\windows\twunk_32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\twunk_32.exe
Infected copy of c:\windows\winhlp32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winhlp32.exe
Infected copy of c:\windows\msagent\agentsvr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\agentsvr.exe
Infected copy of c:\windows\pchealth\helpctr\binaries\HelpSvc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\HelpSvc.exe
Infected copy of c:\windows\pchealth\helpctr\binaries\msconfig.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\msconfig.exe
Infected copy of c:\windows\system32\accwiz.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\accwiz.exe
Infected copy of c:\windows\system32\alg.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\alg.exe
Infected copy of c:\windows\system32\calc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\calc.exe
Infected copy of c:\windows\system32\charmap.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\charmap.exe
Infected copy of c:\windows\system32\cisvc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\cisvc.exe
Infected copy of c:\windows\system32\cleanmgr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\cleanmgr.exe
Infected copy of c:\windows\system32\cmd.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\cmd.exe
Infected copy of c:\windows\system32\control.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\control.exe
Infected copy of c:\windows\system32\defrag.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\defrag.exe
Infected copy of c:\windows\system32\dfrgntfs.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\dfrgntfs.exe
Infected copy of c:\windows\system32\dllhost.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\dllhost.exe
Infected copy of c:\windows\system32\dmadmin.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\dmadmin.exe
Infected copy of c:\windows\system32\drwtsn32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\drwtsn32.exe
Infected copy of c:\windows\system32\dumprep.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\dumprep.exe
Infected copy of c:\windows\system32\dwwin.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\dwwin.exe
Infected copy of c:\windows\system32\freecell.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\freecell.exe
Infected copy of c:\windows\system32\ie4uinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ie4uinit.exe
Infected copy of c:\windows\system32\imapi.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\imapi.exe
Infected copy of c:\windows\system32\locator.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\locator.exe
Infected copy of c:\windows\system32\logonui.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\logonui.exe
Infected copy of c:\windows\system32\magnify.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\magnify.exe
Infected copy of c:\windows\system32\mnmsrvc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mnmsrvc.exe
Infected copy of c:\windows\system32\mobsync.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mobsync.exe
Infected copy of c:\windows\system32\msdtc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\msdtc.exe
Infected copy of c:\windows\system32\mshearts.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mshearts.exe
Infected copy of c:\windows\system32\msiexec.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\msiexec.exe
Infected copy of c:\windows\system32\mspaint.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspaint.exe
Infected copy of c:\windows\system32\mstsc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mstsc.exe
Infected copy of c:\windows\system32\narrator.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\narrator.exe
Infected copy of c:\windows\system32\notepad.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\notepad.exe
Infected copy of c:\windows\system32\ntbackup.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntbackup.exe
Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntvdm.exe
Infected copy of c:\windows\system32\odbcad32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\odbcad32.exe
Infected copy of c:\windows\system32\osk.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\osk.exe
Infected copy of c:\windows\system32\qwinsta.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\qwinsta.exe
Infected copy of c:\windows\system32\rcimlby.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rcimlby.exe
Infected copy of c:\windows\system32\regsvr32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\regsvr32.exe
Infected copy of c:\windows\system32\rsmsink.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rsmsink.exe
Infected copy of c:\windows\system32\rsvp.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rsvp.exe
Infected copy of c:\windows\system32\runonce.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\runonce.exe
Infected copy of c:\windows\system32\scardsvr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\scardsvr.exe
Infected copy of c:\windows\system32\sessmgr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sessmgr.exe
Infected copy of c:\windows\system32\shmgrate.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\shmgrate.exe
Infected copy of c:\windows\system32\smlogsvc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\smlogsvc.exe
Infected copy of c:\windows\system32\sndrec32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sndrec32.exe
Infected copy of c:\windows\system32\sndvol32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sndvol32.exe
Infected copy of c:\windows\system32\sol.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sol.exe
Infected copy of c:\windows\system32\spider.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\spider.exe
Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\spoolsv.exe
Infected copy of c:\windows\system32\taskmgr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\taskmgr.exe
c:\windows\system32\tourstart.exe . . . is infected!!
Infected copy of c:\windows\system32\ups.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ups.exe
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\userinit.exe
Infected copy of c:\windows\system32\utilman.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\utilman.exe
Infected copy of c:\windows\system32\vssvc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\vssvc.exe
Infected copy of c:\windows\system32\wiaacmgr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wiaacmgr.exe
Infected copy of c:\windows\system32\winmine.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winmine.exe
Infected copy of c:\windows\system32\wscntfy.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wscntfy.exe
Infected copy of c:\windows\system32\Restore\rstrui.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\rstrui.exe
Infected copy of c:\windows\system32\usmt\migwiz.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\migwiz.exe
Infected copy of c:\windows\system32\wbem\wmiadap.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wmiadap.exe
Infected copy of c:\windows\system32\wbem\wmiapsrv.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wmiapsrv.exe
Infected copy of c:\windows\system32\wbem\wmic.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wmic.exe
Infected copy of c:\windows\system32\wbem\wmiprvse.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wmiprvse.exe
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{0C582453-D748-4DFE-9B70-3518CF805CB6}\RP6\A0000564.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_BTWSRV
-------\Legacy_FASTNETSRV
-------\Legacy_TCPSR
-------\Service_6to4
-------\Service_BtwSrv
-------\Service_fastnetsrv
-------\Service_tcpsr
-------\Legacy_nukqttim
-------\Service_nukqttim
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.
2010-01-12 14:02 . 2010-01-12 14:02 153476 ----a-w- c:\windows\system32\regedit .exe
2010-01-12 13:53 . 2010-01-12 13:53 4 ----a-w- c:\program files\3108781.dat
2010-01-12 13:40 . 2010-01-12 13:40 409088 ----a-w- c:\windows\system32\CF25164.exe
2010-01-12 13:27 . 2010-01-12 13:27 -------- d-----w- c:\program files\Trend Micro
2010-01-12 13:04 . 2010-01-12 13:04 106496 ----a-w- C:\suepfbbg.exe
2010-01-12 13:04 . 2010-01-12 13:04 39936 ----a-w- C:\cshk.exe
2010-01-12 13:04 . 2010-01-12 13:04 49524 ----a-w- C:\nxdm.exe
2010-01-12 13:03 . 2010-01-12 13:03 118 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2010-01-12 13:03 . 2010-01-12 13:03 153476 ----a-w- C:\ouyxwn.exe
2010-01-12 13:03 . 2010-01-12 13:03 49524 ----a-w- C:\vciga.exe
2010-01-12 13:03 . 2010-01-12 13:03 126976 ----a-w- C:\cijara.exe
2010-01-06 11:15 . 2010-01-06 11:15 -------- d-----w- c:\windows\system32\NtmsData
2010-01-06 10:59 . 2010-01-06 11:01 -------- d-----w- c:\windows\nview
2010-01-06 10:59 . 2006-10-22 11:22 229376 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-06 10:59 . 2010-01-06 10:59 -------- d-----w- c:\program files\CCleaner
2010-01-06 10:59 . 2006-10-22 14:06 229376 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-01-06 10:58 . 2010-01-06 10:59 -------- d-----w- c:\program files\Nvidia
2010-01-06 10:58 . 2010-01-06 10:58 30688 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2010-01-06 10:58 . 2010-01-06 10:58 249152 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-01-06 10:58 . 2010-01-06 10:58 96320 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-01-06 10:58 . 2010-01-06 10:58 -------- d-----w- c:\program files\Common Files\Acronis
2010-01-06 10:58 . 2010-01-06 10:58 -------- d-----w- c:\program files\Acronis
2010-01-06 10:51 . 2005-06-15 03:07 11264 ----a-w- c:\windows\INRES.DLL
2010-01-06 10:51 . 2010-01-06 10:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-06 10:51 . 2010-01-06 10:52 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-06 10:49 . 2010-01-12 13:33 -------- d-----w- c:\program files\foobar2000
2010-01-06 10:33 . 2010-01-06 10:34 -------- d-----w- c:\documents and settings\emitor\Application Data\vlc
2010-01-06 10:33 . 2010-01-06 10:33 -------- d-----w- c:\program files\VideoLAN
2010-01-06 10:23 . 2010-01-06 10:23 -------- d-----w- c:\documents and settings\emitor\Local Settings\Application Data\GHISLER
2010-01-06 09:58 . 2003-06-18 23:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-06 09:58 . 2003-06-18 23:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-06 09:57 . 2010-01-06 09:58 -------- d-----w- c:\windows\SHELLNEW
2010-01-06 09:56 . 2010-01-06 09:56 -------- d-----r- C:\MSOCache
2010-01-06 05:06 . 2010-01-06 05:06 -------- d-----w- c:\documents and settings\emitor\Application Data\Locktime
2010-01-06 05:06 . 2010-01-06 05:06 12328 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 20:18 . 2010-01-05 20:17 757760 ----a-w- c:\windows\iun6002.exe
2010-01-05 20:18 . 2010-01-05 20:18 -------- d-----w- c:\program files\Codec Pack - All In 1
2010-01-05 20:07 . 2010-01-05 20:07 -------- d-----w- c:\documents and settings\emitor\Application Data\AdobeUM
2010-01-05 20:07 . 2010-01-05 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Locktime
2010-01-05 20:06 . 2010-01-05 20:06 -------- d-----w- c:\documents and settings\emitor\Local Settings\Application Data\Adobe
2010-01-05 20:06 . 2010-01-05 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-01-05 20:05 . 2010-01-05 20:05 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-01-05 20:05 . 2008-07-31 09:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2010-01-05 20:05 . 2008-07-31 09:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2010-01-05 20:05 . 2008-07-31 09:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2010-01-05 20:03 . 2010-01-05 20:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-05 20:02 . 2010-01-05 20:02 -------- d-----w- c:\windows\Logs
2010-01-05 19:53 . 2010-01-12 13:44 -------- d-----w- c:\documents and settings\emitor\PsiData
2010-01-05 19:52 . 2010-01-05 19:52 -------- d-----w- c:\program files\totalcmd
2010-01-05 19:52 . 2008-08-08 06:04 545 ----a-w- c:\windows\UC.PIF
2010-01-05 19:52 . 2008-08-08 06:04 545 ----a-w- c:\windows\RAR.PIF
2010-01-05 19:52 . 2008-08-08 06:04 545 ----a-w- c:\windows\PKZIP.PIF
2010-01-05 19:52 . 2008-08-08 06:04 545 ----a-w- c:\windows\PKUNZIP.PIF
2010-01-05 19:52 . 2008-08-08 06:04 545 ----a-w- c:\windows\NOCLOSE.PIF
2010-01-05 19:52 . 2008-08-08 06:04 545 ----a-w- c:\windows\LHA.PIF
2010-01-05 19:52 . 2008-08-08 06:04 545 ----a-w- c:\windows\ARJ.PIF
2010-01-05 19:51 . 2010-01-05 19:51 -------- d-----w- c:\program files\Psi
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 14:03 . 2010-01-12 14:03 91648 ----a-w- c:\windows\system32\7.tmp
2010-01-12 14:03 . 2006-10-22 11:22 153476 ----a-w- c:\windows\system32\nwiz.exe
2010-01-12 14:03 . 2010-01-12 14:03 27739 ----a-w- c:\windows\system32\6.tmp
2010-01-12 14:03 . 2010-01-06 10:52 153476 ----a-w- c:\windows\updreg.exe
2010-01-12 14:03 . 2010-01-12 14:03 164 ----a-w- c:\windows\system32\3.tmp
2010-01-12 13:50 . 2005-06-14 12:00 39936 ----a-w- c:\windows\system32\ctfmon.exe
2010-01-12 13:37 . 2005-06-14 12:00 153476 ----a-w- c:\windows\system32\rundll32.exe
2010-01-12 13:04 . 2005-06-14 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-01-12 13:03 . 2006-10-15 18:49 577024 ----a-w- c:\windows\system32\user32.DLL
2010-01-12 13:03 . 2010-01-12 13:03 91648 ----a-w- c:\windows\system32\1C.tmp
2010-01-12 13:03 . 2010-01-12 13:03 16 ----a-w- c:\documents and settings\NetworkService\Application Data\hlusyf.dat
2010-01-12 13:03 . 2010-01-12 13:03 27740 ----a-w- c:\windows\system32\1B.tmp
2010-01-12 13:03 . 2010-01-12 13:03 164 ----a-w- c:\windows\system32\17.tmp
2010-01-06 11:05 . 2006-10-15 18:50 59392 ----a-w- c:\windows\system32\wdfmgr.exe
2010-01-06 10:52 . 2010-01-06 10:52 -------- d-----w- c:\program files\Creative
2010-01-05 07:26 . 2010-01-05 07:25 -------- d-----w- c:\program files\Opera
2010-01-05 07:17 . 2010-01-05 07:17 -------- d-----w- c:\program files\microsoft frontpage
2010-01-05 07:16 . 2010-01-05 07:13 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-05 07:16 . 2010-01-05 07:13 2722 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-01-05 07:15 . 2010-01-05 07:14 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-01-05 07:10 . 2010-01-05 07:10 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-05 07:09 . 2010-01-05 07:09 -------- d-----w- c:\program files\Windows Media Connect 2
.
[code]<pre>
c:\program files\Acronis\TrueImage\trueimagemonitor .exe
c:\program files\Common Files\Acronis\Schedule2\schedhlp .exe
c:\windows\system32\regedit .exe
</pre>[-] 2010-01-12 . 558635D3AF1C7546D26067D5D9B6959E . 212480 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-01-12 . 558635D3AF1C7546D26067D5D9B6959E . 212480 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
[-] 2010-01-12 . C05A121770C1D529989825AB020928B1 . 577024 . . [5.1.2600.2622] . . c:\windows\system32\user32.DLL
[-] 2010-01-12 . C05A121770C1D529989825AB020928B1 . 577024 . . [5.1.2600.2622] . . c:\windows\system32\dllcache\user32.dll
[-] 2005-06-14 . DDA1222162157556839DB1A768C146A7 . 45056 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe
[-] 2005-06-14 . 66F11BC4E6E14BED84C25DF0EE281411 . 45056 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe
[-] 2005-06-14 . 7B16ED28C2C0DCC2B127FD9F84A3E75E . 33792 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
[-] 2005-06-14 . 54B44D88472B070FDB8113B86DC84266 . 34304 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\wscntfy.exe
[-] 2010-01-12 13:50 . B5E8B5FEF36C95FAF55F14504738D502 . 153476 . . [------] . . c:\windows\system32\ctfmon.exe
[-] 2005-06-14 . 2B91BC834D066E7723C38EBC1A3434CC . 35840 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdrzli"="c:\windows\system32\msptfpxi.dll" [N/A]
"P17Helper"="P17.dll" [2005-05-03 64512]
"UpdReg"="c:\windows\UpdReg.EXE" [2010-01-12 153476]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2010-01-12 153476]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-01-12 153476]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2010-01-12 153476]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"vkqzej"="c:\windows\system32\msjuehus.dll" [N/A]
"imPlayok"="c:\windows\system32\imPlayok.exe" [N/A]
"reader_s"="c:\windows\System32\reader_s.exe" [N/A]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2010-01-12 153476]
"reader_s"="c:\documents and settings\emitor\reader_s.exe" [N/A]
"imPlayok"="c:\documents and settings\emitor\imPlayok.exe" [N/A]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^emitor^Start Menu^Programs^Startup^Psi.lnk]
path=c:\documents and settings\emitor\Start Menu\Programs\Startup\Psi.lnk
backup=c:\windows\pss\Psi.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Psi\\psi.exe"=
R3 tcpsr;tcpsr;\??\c:\windows\System32\drivers\tcpsr.sys --> c:\windows\System32\drivers\tcpsr.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - TCPSR
.
.
------- Supplementary Scan -------
.
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 15:05
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\drivers\zffuxypylldyj1.sys 81152 bytes executable
c:\windows\system32\drivers\zvyokboooku3.sys 81152 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x89BC2530]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf10
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xba6887b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a01b0
ParseProcedure -> ntoskrnl.exe @ 0x8056f18e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a01b0
ParseProcedure -> ntoskrnl.exe @ 0x8056f18e
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0x89b4faf9
PacketIndicateHandler -> NDIS.sys @ 0x89b5ab21
SendHandler -> NDIS.sys @ 0x89b4f938
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zffuxypylldyj1]
"ImagePath"="system32\drivers\zffuxypylldyj1.sys"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zvyokboooku3]
"ImagePath"="system32\drivers\zvyokboooku3.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(664)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(1100)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\docume~1\emitor\locals~1\temp\wmpscfgs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\windows\TEMP\VRT2.tmp
c:\windows\system32\Rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\Rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\nwiz.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-01-12 15:06:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 14:06
Pre-Run: 11 113 381 888 bytes free
Post-Run: 11 110 281 216 bytes free
- - End Of File - - 63AF0A8C8FC643EFD17C4D40FD5E142B
[/code]