Prosím o kontrolu logu.....děkuji

Zpráva

BlackAngel · #1 Příspěvek od **BlackAngel** » 12 led 2010 19:17

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:16:03, on 12.1.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\msa.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nasgharet\Plocha\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: CentrumczToolbar BHO - {33CD02D0-8C93-4926-A2FE-2CE72CE7DF1A} - C:\Program Files\CentrumczToolbar\IEToolbar.dll
O2 - BHO: CentrumczToolbar BHO - {33CD02D0-8C93-4926-A2FE-2CE72CE7DF1A} - C:\Program Files\CentrumczToolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Centrum.cz Toolbar - {D5D47440-0750-463D-BAEF-A47D02414806} - C:\Program Files\CentrumczToolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: infium.lnk = C:\Program Files\QIP Infium PafoPack\infium.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4377 bytes

#2 Příspěvek od **Rudy** » 12 led 2010 19:48

Dejte log z ComboFix.

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim s rezidentem antispyware

Je tam fake antivirus. Takhle to dopadne, když v PC nemáte ten legitimní.

BlackAngel · #3 Příspěvek od **BlackAngel** » 12 led 2010 20:55

ComboFix 10-01-12.02 - Nasgharet 12.01.2010 20:47:49.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.778 [GMT 1:00]
Spuštěný z: c:\documents and settings\Nasgharet\Plocha\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\msa.exe
c:\windows\system32\ieuinit.inf
c:\windows\system32\sshnas.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS

((((((((((((((((((((((((( Soubory vytvořené od 2009-12-12 do 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-10 16:42 . 2006-04-29 13:25 40960 ----a-w- c:\windows\system32\psfind.dll
2010-01-10 16:42 . 2003-03-18 23:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2010-01-10 15:42 . 2010-01-10 15:42 -------- d-----w- c:\windows\Sun
2010-01-06 07:52 . 2004-08-03 22:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-01-04 23:08 . 1999-10-11 01:01 41984 ----a-w- c:\windows\CTREGRUN.EXE
2010-01-04 23:06 . 2000-05-11 00:00 90112 ----a-w- c:\windows\Updreg.exe
2010-01-04 23:05 . 2001-08-31 13:37 36992 ----a-w- c:\windows\system32\drivers\sfman.sys
2010-01-04 23:05 . 2001-08-14 15:17 775296 ----a-w- c:\windows\system32\drivers\emu10k1f.sys
2010-01-04 23:05 . 2001-07-11 11:34 6912 ----a-w- c:\windows\system32\drivers\ctlface.sys
2010-01-04 23:05 . 1998-10-14 16:03 59392 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2010-01-04 23:05 . 1998-10-14 16:03 59392 ----a-w- c:\windows\system32\a3d.dll
2010-01-04 23:04 . 1998-06-05 01:00 84992 ------w- c:\windows\system32\sfcvrt32.dll
2010-01-04 23:04 . 1998-01-08 00:00 1048576 ------w- c:\windows\system32\sfman.dat
2010-01-04 23:04 . 1995-08-30 01:02 82432 ------w- c:\windows\system32\Ctwflt32.dll
2010-01-04 23:04 . 1995-07-13 01:01 26768 ------w- c:\windows\system32\ctl3d.dll
2010-01-04 23:04 . 1995-01-13 13:10 149504 ------w- c:\windows\system32\mfcans32.dll
2010-01-04 23:04 . 1995-01-13 13:10 108032 ------w- c:\windows\system32\mfcuia32.dll
2010-01-04 23:04 . 1997-06-02 03:06 34816 ------w- c:\windows\CTRes32.dll
2010-01-04 23:04 . 1996-05-23 01:24 24976 ------w- c:\windows\ctres.dll
2010-01-04 23:04 . 1994-12-05 02:11 53552 ------w- c:\windows\ctccw.dll
2010-01-04 23:02 . 1998-03-19 00:00 3584 ----a-w- c:\windows\system32\Ahqcpres.dll
2010-01-04 23:01 . 2010-01-04 23:01 -------- d-----w- C:\Media
2010-01-04 23:01 . 1999-12-13 00:01 44032 ----a-w- c:\windows\system32\CTSVCCDA.EXE
2010-01-04 23:01 . 1999-11-18 00:00 25088 ----a-w- c:\windows\system32\CTSVCCTL.EXE
2010-01-04 23:00 . 2001-01-31 00:01 307200 ------w- c:\windows\system32\CtMp3Lib.dll
2010-01-04 23:00 . 2001-01-23 00:05 110592 ------w- c:\windows\system32\ctmp3io2.dll
2010-01-04 23:00 . 2001-10-03 11:39 28672 ------w- c:\windows\system32\CTIntRes.dll
2010-01-04 23:00 . 2001-10-03 11:39 57856 ------w- c:\windows\system32\CTDETRES.DLL
2010-01-04 23:00 . 2001-10-03 11:38 73728 ------w- c:\windows\system32\CTDrmRes.dll
2010-01-04 23:00 . 2001-03-14 01:50 393216 ------w- c:\windows\system32\CTMedEng.dll
2010-01-04 23:00 . 2000-11-29 00:10 155648 ------w- c:\windows\system32\CTDrmUI.dll
2010-01-04 23:00 . 2000-04-20 00:00 24576 ------w- c:\windows\system32\CTMERes.DLL
2010-01-04 23:00 . 1998-10-20 15:05 54784 ------w- c:\windows\system32\Inetwh32.dll
2010-01-04 22:58 . 1999-12-17 00:00 6752 ------w- c:\windows\system32\PfModNT.sys
2010-01-04 22:58 . 2010-01-04 23:08 -------- d-----w- c:\program files\Creative
2010-01-04 19:02 . 2003-06-19 00:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-04 19:02 . 2003-06-19 00:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-04 19:02 . 2010-01-04 19:02 -------- d-----w- c:\windows\SHELLNEW
2010-01-04 19:02 . 2010-01-04 19:02 -------- d-----w- c:\program files\Microsoft.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 16:34 . 2010-01-04 17:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-10 16:33 . 2010-01-04 17:35 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-05 18:10 . 2010-01-04 17:22 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-05 18:10 . 2010-01-04 17:22 2426 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-01-05 18:09 . 2010-01-04 17:22 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-01-04 18:57 . 2010-01-04 18:56 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-01-04 18:57 . 2010-01-04 18:57 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-04 18:27 . 2010-01-04 18:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-04 18:27 . 2010-01-04 18:27 -------- d-----w- c:\program files\Java
2010-01-04 18:25 . 2010-01-04 18:25 -------- d-----w- c:\program files\Codec Pack - All In 1
2010-01-04 18:24 . 2010-01-04 18:25 737280 ----a-w- c:\windows\iun6002.exe
2010-01-04 18:19 . 2010-01-04 18:19 -------- d-----w- c:\program files\VideoLAN
2010-01-04 18:17 . 2010-01-04 18:17 -------- d-----w- c:\program files\Winamp
2010-01-04 18:17 . 2010-01-04 18:17 -------- d-----w- c:\program files\Winamp Detect
2010-01-04 17:57 . 2010-01-04 17:57 -------- d-----w- c:\program files\QIP Infium PafoPack
2010-01-04 17:49 . 2010-01-04 17:49 0 ----a-w- c:\windows\nsreg.dat
2010-01-04 17:49 . 2010-01-04 17:49 -------- d-----w- c:\program files\CentrumczToolbar
2010-01-04 17:45 . 2010-01-04 17:41 -------- d-----w- c:\program files\ATI Technologies
2010-01-04 17:44 . 2001-10-25 10:00 67908 ----a-w- c:\windows\system32\perfc005.dat
2010-01-04 17:44 . 2001-10-25 10:00 429938 ----a-w- c:\windows\system32\perfh005.dat
2010-01-04 17:35 . 2010-01-04 17:35 -------- d-----w- c:\program files\VIA
2010-01-04 17:23 . 2010-01-04 17:23 -------- d-----w- c:\program files\microsoft frontpage
2010-01-04 17:19 . 2010-01-04 17:19 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2004-08-17 13:49 . 2004-08-17 13:49 165016 --sha-r- c:\windows\system32\vwuqpo.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-24 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-24 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-21 39424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-04 149280]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 102400]
"AudioHQ"="c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-17 180224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-24 32768]

c:\documents and settings\Nasgharet\Nabˇdka Start\Programy\Po spuçtŘnˇ\
infium.lnk - c:\program files\QIP Infium PafoPack\infium.exe [2010-1-4 24064]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 32768]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2010-1-4 585728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\sdc230\\StrongDC.exe"=
"c:\\Program Files\\QIP Infium PafoPack\\inf.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9215:TCP"= 9215:TCP:gcktpmoj

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4.1.2010 19:57 691696]
S2 fvwby;Image Shell;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 14:49 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fvwby
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nasgharet\Data aplikací\Mozilla\Firefox\Profiles\gcxfqu2b.default\
FF - prefs.js: browser.search.selectedEngine - Centrum.cz Search
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.centrum.cz/index.php?toolbar=centrum-1.0.0&q=
FF - component: c:\program files\CentrumczToolbar\Firefox\Cetrumcz@igeared\components\IGeared_cetrumczp_xputils2.dll
FF - component: c:\program files\CentrumczToolbar\Firefox\Cetrumcz@igeared\components\IGeared_cetrumczp_xputils3.dll
FF - component: c:\program files\CentrumczToolbar\Firefox\Cetrumcz@igeared\components\IGeared_cetrumczp_xputils35.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 20:51
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?@ ????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@?@ ??????k??w??????????@???????????????????B?????? ????????????????????????????B

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x867DB1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7873fc3
\Driver\ACPI -> ACPI.sys @ 0xf76dbcb8
\Driver\atapi -> 0x867db1f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7567ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7574b21
SendHandler -> NDIS.sys @ 0xf755287b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fvwby]
"ServiceDll"="c:\windows\system32\vwuqpo.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Creative\ShareDLL\MediaDet.Exe
c:\program files\QIP Infium PafoPack\inf.exe
.
**************************************************************************
.
Celkový čas: 2010-01-12 20:53:52 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-01-12 19:53

Před spuštěním: Volných bajtů: 103 078 641 664
Po spuštění: Volných bajtů: 103 168 446 464

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D93DE74ED5885068691044B90B2A9BF0

#4 Příspěvek od **Rudy** » 12 led 2010 21:06

Ještě dočistíme. Otevřte poznámkový blok a zkopírujte do něj:

Collect::
c:\windows\system32\vwuqpo.dll

Driver::
fvwby

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

Obrázek

BlackAngel · #5 Příspěvek od **BlackAngel** » 13 led 2010 00:32

ComboFix 10-01-12.02 - Nasgharet 13.01.2010 0:27.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.778 [GMT 1:00]
Spuštěný z: c:\documents and settings\Nasgharet\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Nasgharet\Plocha\CFScript.txt
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-12-12 do 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-10 16:42 . 2006-04-29 13:25 40960 ----a-w- c:\windows\system32\psfind.dll
2010-01-10 16:42 . 2003-03-18 23:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2010-01-10 15:42 . 2010-01-10 15:42 -------- d-----w- c:\windows\Sun
2010-01-06 07:52 . 2004-08-03 22:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-01-04 23:08 . 1999-10-11 01:01 41984 ----a-w- c:\windows\CTREGRUN.EXE
2010-01-04 23:06 . 2000-05-11 00:00 90112 ----a-w- c:\windows\Updreg.exe
2010-01-04 23:05 . 2001-08-31 13:37 36992 ----a-w- c:\windows\system32\drivers\sfman.sys
2010-01-04 23:05 . 2001-08-14 15:17 775296 ----a-w- c:\windows\system32\drivers\emu10k1f.sys
2010-01-04 23:05 . 2001-07-11 11:34 6912 ----a-w- c:\windows\system32\drivers\ctlface.sys
2010-01-04 23:05 . 1998-10-14 16:03 59392 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2010-01-04 23:05 . 1998-10-14 16:03 59392 ----a-w- c:\windows\system32\a3d.dll
2010-01-04 23:04 . 1998-06-05 01:00 84992 ------w- c:\windows\system32\sfcvrt32.dll
2010-01-04 23:04 . 1998-01-08 00:00 1048576 ------w- c:\windows\system32\sfman.dat
2010-01-04 23:04 . 1995-08-30 01:02 82432 ------w- c:\windows\system32\Ctwflt32.dll
2010-01-04 23:04 . 1995-07-13 01:01 26768 ------w- c:\windows\system32\ctl3d.dll
2010-01-04 23:04 . 1995-01-13 13:10 149504 ------w- c:\windows\system32\mfcans32.dll
2010-01-04 23:04 . 1995-01-13 13:10 108032 ------w- c:\windows\system32\mfcuia32.dll
2010-01-04 23:04 . 1997-06-02 03:06 34816 ------w- c:\windows\CTRes32.dll
2010-01-04 23:04 . 1996-05-23 01:24 24976 ------w- c:\windows\ctres.dll
2010-01-04 23:04 . 1994-12-05 02:11 53552 ------w- c:\windows\ctccw.dll
2010-01-04 23:02 . 1998-03-19 00:00 3584 ----a-w- c:\windows\system32\Ahqcpres.dll
2010-01-04 23:01 . 2010-01-04 23:01 -------- d-----w- C:\Media
2010-01-04 23:01 . 1999-12-13 00:01 44032 ----a-w- c:\windows\system32\CTSVCCDA.EXE
2010-01-04 23:01 . 1999-11-18 00:00 25088 ----a-w- c:\windows\system32\CTSVCCTL.EXE
2010-01-04 23:00 . 2001-01-31 00:01 307200 ------w- c:\windows\system32\CtMp3Lib.dll
2010-01-04 23:00 . 2001-01-23 00:05 110592 ------w- c:\windows\system32\ctmp3io2.dll
2010-01-04 23:00 . 2001-10-03 11:39 28672 ------w- c:\windows\system32\CTIntRes.dll
2010-01-04 23:00 . 2001-10-03 11:39 57856 ------w- c:\windows\system32\CTDETRES.DLL
2010-01-04 23:00 . 2001-10-03 11:38 73728 ------w- c:\windows\system32\CTDrmRes.dll
2010-01-04 23:00 . 2001-03-14 01:50 393216 ------w- c:\windows\system32\CTMedEng.dll
2010-01-04 23:00 . 2000-11-29 00:10 155648 ------w- c:\windows\system32\CTDrmUI.dll
2010-01-04 23:00 . 2000-04-20 00:00 24576 ------w- c:\windows\system32\CTMERes.DLL
2010-01-04 23:00 . 1998-10-20 15:05 54784 ------w- c:\windows\system32\Inetwh32.dll
2010-01-04 22:58 . 1999-12-17 00:00 6752 ------w- c:\windows\system32\PfModNT.sys
2010-01-04 22:58 . 2010-01-04 23:08 -------- d-----w- c:\program files\Creative
2010-01-04 19:02 . 2003-06-19 00:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-04 19:02 . 2003-06-19 00:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-04 19:02 . 2010-01-04 19:02 -------- d-----w- c:\windows\SHELLNEW
2010-01-04 19:02 . 2010-01-04 19:02 -------- d-----w- c:\program files\Microsoft.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 16:34 . 2010-01-04 17:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-10 16:33 . 2010-01-04 17:35 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-05 18:10 . 2010-01-04 17:22 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-05 18:10 . 2010-01-04 17:22 2426 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-01-05 18:09 . 2010-01-04 17:22 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-01-04 18:57 . 2010-01-04 18:56 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-01-04 18:57 . 2010-01-04 18:57 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-04 18:27 . 2010-01-04 18:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-04 18:27 . 2010-01-04 18:27 -------- d-----w- c:\program files\Java
2010-01-04 18:25 . 2010-01-04 18:25 -------- d-----w- c:\program files\Codec Pack - All In 1
2010-01-04 18:24 . 2010-01-04 18:25 737280 ----a-w- c:\windows\iun6002.exe
2010-01-04 18:19 . 2010-01-04 18:19 -------- d-----w- c:\program files\VideoLAN
2010-01-04 18:17 . 2010-01-04 18:17 -------- d-----w- c:\program files\Winamp
2010-01-04 18:17 . 2010-01-04 18:17 -------- d-----w- c:\program files\Winamp Detect
2010-01-04 17:57 . 2010-01-04 17:57 -------- d-----w- c:\program files\QIP Infium PafoPack
2010-01-04 17:49 . 2010-01-04 17:49 0 ----a-w- c:\windows\nsreg.dat
2010-01-04 17:49 . 2010-01-04 17:49 -------- d-----w- c:\program files\CentrumczToolbar
2010-01-04 17:45 . 2010-01-04 17:41 -------- d-----w- c:\program files\ATI Technologies
2010-01-04 17:44 . 2001-10-25 10:00 67908 ----a-w- c:\windows\system32\perfc005.dat
2010-01-04 17:44 . 2001-10-25 10:00 429938 ----a-w- c:\windows\system32\perfh005.dat
2010-01-04 17:35 . 2010-01-04 17:35 -------- d-----w- c:\program files\VIA
2010-01-04 17:23 . 2010-01-04 17:23 -------- d-----w- c:\program files\microsoft frontpage
2010-01-04 17:19 . 2010-01-04 17:19 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2004-08-17 13:49 . 2004-08-17 13:49 165016 --sha-r- c:\windows\system32\vwuqpo.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-01-12_19.52.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-12 23:25 . 2010-01-12 23:25 16384 c:\windows\Temp\Perflib_Perfdata_6bc.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-24 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-24 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-21 39424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-04 149280]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 102400]
"AudioHQ"="c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-17 180224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-24 32768]

c:\documents and settings\Nasgharet\Nabˇdka Start\Programy\Po spuçtŘnˇ\
infium.lnk - c:\program files\QIP Infium PafoPack\infium.exe [2010-1-4 24064]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 32768]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2010-1-4 585728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\sdc230\\StrongDC.exe"=
"c:\\Program Files\\QIP Infium PafoPack\\inf.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9215:TCP"= 9215:TCP:gcktpmoj

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4.1.2010 19:57 691696]
S2 fvwby;Image Shell;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 14:49 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fvwby
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nasgharet\Data aplikací\Mozilla\Firefox\Profiles\gcxfqu2b.default\
FF - prefs.js: browser.search.selectedEngine - Centrum.cz Search
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.centrum.cz/index.php?toolbar=centrum-1.0.0&q=
FF - component: c:\program files\CentrumczToolbar\Firefox\Cetrumcz@igeared\components\IGeared_cetrumczp_xputils2.dll
FF - component: c:\program files\CentrumczToolbar\Firefox\Cetrumcz@igeared\components\IGeared_cetrumczp_xputils3.dll
FF - component: c:\program files\CentrumczToolbar\Firefox\Cetrumcz@igeared\components\IGeared_cetrumczp_xputils35.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 00:30
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?@ ????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@?@ ??????k??w??????????@???????????????????B?????? ????????????????????????????B

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fvwby]
"ServiceDll"="c:\windows\system32\vwuqpo.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-01-13 00:31:10
ComboFix-quarantined-files.txt 2010-01-12 23:31
ComboFix2.txt 2010-01-12 19:53

Před spuštěním: Volných bajtů: 103 220 789 248
Po spuštění: Volných bajtů: 103 194 296 320

- - End Of File - - 07B290E9AA6CCEFB8FABD25F349FDAF6

#6 Příspěvek od **Rudy** » 13 led 2010 19:43

Nic se nestalo. Zkuste to ještě jednou, ale v nouz. režimu.

BlackAngel · #7 Příspěvek od **BlackAngel** » 14 led 2010 13:19

ComboFix 10-01-12.02 - Nasgharet 14.01.2010 13:11:13.3.1 - x86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.843 [GMT 1:00]
Spuštěný z: c:\documents and settings\Nasgharet\Plocha\ComboFix.exe
Použité ovládací přepínače :: C:\cfscript.txt

file zipped: c:\windows\system32\vwuqpo.dll
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\vwuqpo.dll

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FVWBY
-------\Service_fvwby

((((((((((((((((((((((((( Soubory vytvořené od 2009-12-14 do 2010-01-14 )))))))))))))))))))))))))))))))
.

2010-01-10 16:42 . 2006-04-29 13:25 40960 ----a-w- c:\windows\system32\psfind.dll
2010-01-10 16:42 . 2003-03-18 23:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2010-01-10 15:42 . 2010-01-10 15:42 -------- d-----w- c:\windows\Sun
2010-01-06 07:52 . 2004-08-03 22:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-01-04 23:08 . 1999-10-11 01:01 41984 ----a-w- c:\windows\CTREGRUN.EXE
2010-01-04 23:06 . 2000-05-11 00:00 90112 ----a-w- c:\windows\Updreg.exe
2010-01-04 23:05 . 2001-08-31 13:37 36992 ----a-w- c:\windows\system32\drivers\sfman.sys
2010-01-04 23:05 . 2001-08-14 15:17 775296 ----a-w- c:\windows\system32\drivers\emu10k1f.sys
2010-01-04 23:05 . 2001-07-11 11:34 6912 ----a-w- c:\windows\system32\drivers\ctlface.sys
2010-01-04 23:05 . 1998-10-14 16:03 59392 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2010-01-04 23:05 . 1998-10-14 16:03 59392 ----a-w- c:\windows\system32\a3d.dll
2010-01-04 23:04 . 1998-06-05 01:00 84992 ------w- c:\windows\system32\sfcvrt32.dll
2010-01-04 23:04 . 1998-01-08 00:00 1048576 ------w- c:\windows\system32\sfman.dat
2010-01-04 23:04 . 1995-08-30 01:02 82432 ------w- c:\windows\system32\Ctwflt32.dll
2010-01-04 23:04 . 1995-07-13 01:01 26768 ------w- c:\windows\system32\ctl3d.dll
2010-01-04 23:04 . 1995-01-13 13:10 149504 ------w- c:\windows\system32\mfcans32.dll
2010-01-04 23:04 . 1995-01-13 13:10 108032 ------w- c:\windows\system32\mfcuia32.dll
2010-01-04 23:04 . 1997-06-02 03:06 34816 ------w- c:\windows\CTRes32.dll
2010-01-04 23:04 . 1996-05-23 01:24 24976 ------w- c:\windows\ctres.dll
2010-01-04 23:04 . 1994-12-05 02:11 53552 ------w- c:\windows\ctccw.dll
2010-01-04 23:02 . 1998-03-19 00:00 3584 ----a-w- c:\windows\system32\Ahqcpres.dll
2010-01-04 23:01 . 2010-01-04 23:01 -------- d-----w- C:\Media
2010-01-04 23:01 . 1999-12-13 00:01 44032 ----a-w- c:\windows\system32\CTSVCCDA.EXE
2010-01-04 23:01 . 1999-11-18 00:00 25088 ----a-w- c:\windows\system32\CTSVCCTL.EXE
2010-01-04 23:00 . 2001-01-31 00:01 307200 ------w- c:\windows\system32\CtMp3Lib.dll
2010-01-04 23:00 . 2001-01-23 00:05 110592 ------w- c:\windows\system32\ctmp3io2.dll
2010-01-04 23:00 . 2001-10-03 11:39 28672 ------w- c:\windows\system32\CTIntRes.dll
2010-01-04 23:00 . 2001-10-03 11:39 57856 ------w- c:\windows\system32\CTDETRES.DLL
2010-01-04 23:00 . 2001-10-03 11:38 73728 ------w- c:\windows\system32\CTDrmRes.dll
2010-01-04 23:00 . 2001-03-14 01:50 393216 ------w- c:\windows\system32\CTMedEng.dll
2010-01-04 23:00 . 2000-11-29 00:10 155648 ------w- c:\windows\system32\CTDrmUI.dll
2010-01-04 23:00 . 2000-04-20 00:00 24576 ------w- c:\windows\system32\CTMERes.DLL
2010-01-04 23:00 . 1998-10-20 15:05 54784 ------w- c:\windows\system32\Inetwh32.dll
2010-01-04 22:58 . 1999-12-17 00:00 6752 ------w- c:\windows\system32\PfModNT.sys
2010-01-04 22:58 . 2010-01-04 23:08 -------- d-----w- c:\program files\Creative
2010-01-04 19:02 . 2003-06-19 00:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-04 19:02 . 2003-06-19 00:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-04 19:02 . 2010-01-04 19:02 -------- d-----w- c:\windows\SHELLNEW
2010-01-04 19:02 . 2010-01-04 19:02 -------- d-----w- c:\program files\Microsoft.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 16:34 . 2010-01-04 17:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-10 16:33 . 2010-01-04 17:35 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-05 18:10 . 2010-01-04 17:22 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-05 18:10 . 2010-01-04 17:22 2426 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-01-05 18:09 . 2010-01-04 17:22 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-01-04 18:57 . 2010-01-04 18:56 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-01-04 18:57 . 2010-01-04 18:57 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-04 18:27 . 2010-01-04 18:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-04 18:27 . 2010-01-04 18:27 -------- d-----w- c:\program files\Java
2010-01-04 18:25 . 2010-01-04 18:25 -------- d-----w- c:\program files\Codec Pack - All In 1
2010-01-04 18:24 . 2010-01-04 18:25 737280 ----a-w- c:\windows\iun6002.exe
2010-01-04 18:19 . 2010-01-04 18:19 -------- d-----w- c:\program files\VideoLAN
2010-01-04 18:17 . 2010-01-04 18:17 -------- d-----w- c:\program files\Winamp
2010-01-04 18:17 . 2010-01-04 18:17 -------- d-----w- c:\program files\Winamp Detect
2010-01-04 17:57 . 2010-01-04 17:57 -------- d-----w- c:\program files\QIP Infium PafoPack
2010-01-04 17:49 . 2010-01-04 17:49 0 ----a-w- c:\windows\nsreg.dat
2010-01-04 17:49 . 2010-01-04 17:49 -------- d-----w- c:\program files\CentrumczToolbar
2010-01-04 17:45 . 2010-01-04 17:41 -------- d-----w- c:\program files\ATI Technologies
2010-01-04 17:44 . 2001-10-25 10:00 67908 ----a-w- c:\windows\system32\perfc005.dat
2010-01-04 17:44 . 2001-10-25 10:00 429938 ----a-w- c:\windows\system32\perfh005.dat
2010-01-04 17:35 . 2010-01-04 17:35 -------- d-----w- c:\program files\VIA
2010-01-04 17:23 . 2010-01-04 17:23 -------- d-----w- c:\program files\microsoft frontpage
2010-01-04 17:19 . 2010-01-04 17:19 21812 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-01-12_19.52.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-14 12:16 . 2010-01-14 12:16 16384 c:\windows\temp\Perflib_Perfdata_7fc.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-24 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-24 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-21 39424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-04 149280]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 102400]
"AudioHQ"="c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-17 180224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-24 32768]

c:\documents and settings\Nasgharet\Nabˇdka Start\Programy\Po spuçtŘnˇ\
infium.lnk - c:\program files\QIP Infium PafoPack\infium.exe [2010-1-4 24064]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 32768]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2010-1-4 585728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\sdc230\\StrongDC.exe"=
"c:\\Program Files\\QIP Infium PafoPack\\inf.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9215:TCP"= 9215:TCP:gcktpmoj

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4.1.2010 19:57 691696]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nasgharet\Data aplikací\Mozilla\Firefox\Profiles\gcxfqu2b.default\
FF - prefs.js: browser.search.selectedEngine - Centrum.cz Search
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.centrum.cz/index.php?toolbar=centrum-1.0.0&q=
FF - component: c:\program files\CentrumczToolbar\Firefox\Cetrumcz@igeared\components\IGeared_cetrumczp_xputils2.dll
FF - component: c:\program files\CentrumczToolbar\Firefox\Cetrumcz@igeared\components\IGeared_cetrumczp_xputils3.dll
FF - component: c:\program files\CentrumczToolbar\Firefox\Cetrumcz@igeared\components\IGeared_cetrumczp_xputils35.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-14 13:16
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?@ ????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@?@ ??????k??w??????????@???????????????????B?????? ????????????????????????????B

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x867DB1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7873fc3
\Driver\ACPI -> ACPI.sys @ 0xf76dbcb8
\Driver\atapi -> 0x867db1f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7567ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7574b21
SendHandler -> NDIS.sys @ 0xf755287b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Creative\ShareDLL\MediaDet.Exe
c:\program files\QIP Infium PafoPack\inf.exe
.
**************************************************************************
.
Celkový čas: 2010-01-14 13:18:46 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-01-14 12:18
ComboFix2.txt 2010-01-12 23:31
ComboFix3.txt 2010-01-12 19:53

Před spuštěním: Volných bajtů: 104 229 081 088
Po spuštění: Volných bajtů: 103 128 260 608

- - End Of File - - E8C9025D4CBC556FB50D999C9A62E6DB

#8 Příspěvek od **Rudy** » 14 led 2010 18:41

Položky smazány. Ještě poprosím o sken MBR: http://www2.gmer.net/mbr/mbr.exe . Dejte log.

BlackAngel · #9 Příspěvek od **BlackAngel** » 15 led 2010 13:03

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#10 Příspěvek od **Rudy** » 15 led 2010 19:29

MBR je čistý a s ním celý PC.

BlackAngel · #11 Příspěvek od **BlackAngel** » 16 led 2010 17:59

Děkuji mnohokrát za pomoc.

#12 Příspěvek od **Rudy** » 16 led 2010 18:47

Nemáte zač!

VIRY.CZ

Prosím o kontrolu logu.....děkuji

Prosím o kontrolu logu.....děkuji

Re: Prosím o kontrolu logu.....děkuji

Re: Prosím o kontrolu logu.....děkuji

Re: Prosím o kontrolu logu.....děkuji

Zasílám log po provedení

Re: Prosím o kontrolu logu.....děkuji

Posílám další log z combofixu

Re: Prosím o kontrolu logu.....děkuji

Re: Prosím o kontrolu logu.....děkuji

Re: Prosím o kontrolu logu.....děkuji

Re: Prosím o kontrolu logu.....děkuji

Re: Prosím o kontrolu logu.....děkuji