win32/mebroot.BG
Napsal: 08 úno 2010 23:30
Ahoj
Prosím o pomoc s torjským koněm win32/mebroot.BG
Nejsem moc v počítačích zběhlý, tak bych potřboval polopatě postup.
Zkusil jsem něco , co už se zde na fóru někdo pokoušel, ale nevímm co dál s logem z combofixu.
díky za radu
Zde ten log:
ComboFix 10-02-08.02 - Pája 08.02.2010 23:06:08.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.225 [GMT 1:00]
Spuštěný z: c:\documents and settings\Pája\Plocha\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\12271.exe
c:\windows\system32\12675.exe
c:\windows\system32\14222.exe
c:\windows\system32\18467.exe
c:\windows\system32\21359.exe
c:\windows\system32\24423.exe
c:\windows\system32\27273.exe
c:\windows\system32\31343.exe
c:\windows\system32\32736.exe
c:\windows\system32\391.exe
c:\windows\system32\4815.exe
c:\windows\system32\5697.exe
c:\windows\system32\6334.exe
c:\windows\system32\auto.exe
c:\windows\system32\ieuinit.inf
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-08 do 2010-02-08 )))))))))))))))))))))))))))))))
.
2010-02-08 19:20 . 2010-02-08 19:20 -------- d-----w- c:\program files\ESET
2010-02-04 17:26 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-04 17:26 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-03 17:10 . 2010-02-03 17:10 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-31 18:27 . 2010-02-03 20:16 -------- d-----w- C:\Filmy
2010-01-23 20:14 . 2010-01-23 20:14 -------- d-----w- C:\a0ffb4c9ba048d2ed5
2010-01-17 10:19 . 2010-01-17 19:49 -------- d-----w- c:\program files\Crawler
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 09:57 . 2010-01-08 16:26 -------- d-----w- c:\program files\ts
2010-01-27 10:29 . 2009-06-15 20:25 -------- d-----w- c:\program files\Google
2010-01-22 19:55 . 2009-04-18 07:17 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-01-14 09:17 . 2001-10-25 14:00 46016 ----a-w- c:\windows\system32\perfc005.dat
2010-01-14 09:17 . 2001-10-25 14:00 309716 ----a-w- c:\windows\system32\perfh005.dat
2010-01-08 07:13 . 2009-06-19 07:10 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-01-05 18:05 . 2010-01-05 18:05 -------- d-----w- c:\program files\AVG
2010-01-05 17:15 . 2010-01-05 17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 13:55 . 2010-01-05 17:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 13:54 . 2010-01-05 17:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-18 14:02 . 2009-11-16 08:06 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-11-21 16:46 . 2004-08-17 13:49 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 08:06 . 2009-11-16 08:06 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-11-16 08:03 . 2009-11-16 08:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 07:56 . 2009-11-16 07:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-17 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 57344]
"C-Media Mixer"="Mixer.exe" [2002-01-28 1228800]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-16 136600]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
uninstall.exe [2010-2-8 421888]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^raid_tool.exe.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\raid_tool.exe.lnk
backup=c:\windows\pss\raid_tool.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-17 13:49 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 15:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"SwPrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"NtmsSvc"=3 (0x3)
"mnmsrvc"=3 (0x3)
"CiSvc"=3 (0x3)
"wscsvc"=2 (0x2)
"TrkWks"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"srservice"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SamSs"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RasMan"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"CryptSvc"=2 (0x2)
"Browser"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\EA Games\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [8.5.2008 22:25 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [8.5.2008 22:25 5248]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8.5.2008 22:35 77056]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16.11.2009 9:03 108792]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [16.11.2009 9:04 735960]
.
Obsah adresáře 'Naplánované úlohy'
2010-02-08 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-01-05 21:18]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
FF - ProfilePath - c:\documents and settings\Pája\Data aplikací\Mozilla\Firefox\Profiles\6qafev9l.default\
FF - prefs.js: browser.search.selectedEngine - WebHledani
FF - prefs.js: browser.startup.homepage - hxxp://www.idnes.cz/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=cs&q=
FF - component: c:\documents and settings\Pája\Data aplikací\Mozilla\Firefox\Profiles\6qafev9l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-08 23:08
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81E9A008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857afc3
\Driver\ACPI -> ACPI.sys @ 0xf84c7cb8
\Driver\atapi -> 0x81e9a008
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf834dba0
PacketIndicateHandler -> NDIS.sys @ 0xf835ab21
SendHandler -> NDIS.sys @ 0xf833887b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF9B543
malicious code @ sector 0x0DF9B546 !
PE file found in sector at 0x0DF9B55C !
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-436374069-1604221776-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8f,63,1a,f9,f2,23,f5,b0,e4,a8,23,49,2c,8c,03,9d,e5,d6,e7,05,eb,2f,a1,
82,2a,1c,ce,18,e2,a0,68,35,a6,dd,a1,eb,76,4c,66,62,3c,fe,fa,48,8f,ac,99,d5,\
"??"=hex:ae,3b,ba,38,7b,6f,8b,bf,37,87,9b,c3,d0,0c,63,a7
.
Celkový čas: 2010-02-08 23:09:49
ComboFix-quarantined-files.txt 2010-02-08 22:09
Před spuštěním: Volných bajtů: 20 373 991 424
Po spuštění: Volných bajtů: 20 427 616 256
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - DEB766E22C6C9C46AD0D7E3B6522AE7B
Prosím o pomoc s torjským koněm win32/mebroot.BG
Nejsem moc v počítačích zběhlý, tak bych potřboval polopatě postup.
Zkusil jsem něco , co už se zde na fóru někdo pokoušel, ale nevímm co dál s logem z combofixu.
díky za radu
Zde ten log:
ComboFix 10-02-08.02 - Pája 08.02.2010 23:06:08.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.225 [GMT 1:00]
Spuštěný z: c:\documents and settings\Pája\Plocha\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\12271.exe
c:\windows\system32\12675.exe
c:\windows\system32\14222.exe
c:\windows\system32\18467.exe
c:\windows\system32\21359.exe
c:\windows\system32\24423.exe
c:\windows\system32\27273.exe
c:\windows\system32\31343.exe
c:\windows\system32\32736.exe
c:\windows\system32\391.exe
c:\windows\system32\4815.exe
c:\windows\system32\5697.exe
c:\windows\system32\6334.exe
c:\windows\system32\auto.exe
c:\windows\system32\ieuinit.inf
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-08 do 2010-02-08 )))))))))))))))))))))))))))))))
.
2010-02-08 19:20 . 2010-02-08 19:20 -------- d-----w- c:\program files\ESET
2010-02-04 17:26 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-04 17:26 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-03 17:10 . 2010-02-03 17:10 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-31 18:27 . 2010-02-03 20:16 -------- d-----w- C:\Filmy
2010-01-23 20:14 . 2010-01-23 20:14 -------- d-----w- C:\a0ffb4c9ba048d2ed5
2010-01-17 10:19 . 2010-01-17 19:49 -------- d-----w- c:\program files\Crawler
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 09:57 . 2010-01-08 16:26 -------- d-----w- c:\program files\ts
2010-01-27 10:29 . 2009-06-15 20:25 -------- d-----w- c:\program files\Google
2010-01-22 19:55 . 2009-04-18 07:17 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-01-14 09:17 . 2001-10-25 14:00 46016 ----a-w- c:\windows\system32\perfc005.dat
2010-01-14 09:17 . 2001-10-25 14:00 309716 ----a-w- c:\windows\system32\perfh005.dat
2010-01-08 07:13 . 2009-06-19 07:10 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-01-05 18:05 . 2010-01-05 18:05 -------- d-----w- c:\program files\AVG
2010-01-05 17:15 . 2010-01-05 17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 13:55 . 2010-01-05 17:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 13:54 . 2010-01-05 17:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-18 14:02 . 2009-11-16 08:06 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-11-21 16:46 . 2004-08-17 13:49 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 08:06 . 2009-11-16 08:06 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-11-16 08:03 . 2009-11-16 08:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 07:56 . 2009-11-16 07:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-17 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 57344]
"C-Media Mixer"="Mixer.exe" [2002-01-28 1228800]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-16 136600]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
uninstall.exe [2010-2-8 421888]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^raid_tool.exe.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\raid_tool.exe.lnk
backup=c:\windows\pss\raid_tool.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-17 13:49 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 15:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"SwPrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"NtmsSvc"=3 (0x3)
"mnmsrvc"=3 (0x3)
"CiSvc"=3 (0x3)
"wscsvc"=2 (0x2)
"TrkWks"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"srservice"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SamSs"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RasMan"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"CryptSvc"=2 (0x2)
"Browser"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\EA Games\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [8.5.2008 22:25 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [8.5.2008 22:25 5248]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8.5.2008 22:35 77056]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16.11.2009 9:03 108792]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [16.11.2009 9:04 735960]
.
Obsah adresáře 'Naplánované úlohy'
2010-02-08 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-01-05 21:18]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
FF - ProfilePath - c:\documents and settings\Pája\Data aplikací\Mozilla\Firefox\Profiles\6qafev9l.default\
FF - prefs.js: browser.search.selectedEngine - WebHledani
FF - prefs.js: browser.startup.homepage - hxxp://www.idnes.cz/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=cs&q=
FF - component: c:\documents and settings\Pája\Data aplikací\Mozilla\Firefox\Profiles\6qafev9l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-08 23:08
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81E9A008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857afc3
\Driver\ACPI -> ACPI.sys @ 0xf84c7cb8
\Driver\atapi -> 0x81e9a008
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf834dba0
PacketIndicateHandler -> NDIS.sys @ 0xf835ab21
SendHandler -> NDIS.sys @ 0xf833887b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF9B543
malicious code @ sector 0x0DF9B546 !
PE file found in sector at 0x0DF9B55C !
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-436374069-1604221776-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8f,63,1a,f9,f2,23,f5,b0,e4,a8,23,49,2c,8c,03,9d,e5,d6,e7,05,eb,2f,a1,
82,2a,1c,ce,18,e2,a0,68,35,a6,dd,a1,eb,76,4c,66,62,3c,fe,fa,48,8f,ac,99,d5,\
"??"=hex:ae,3b,ba,38,7b,6f,8b,bf,37,87,9b,c3,d0,0c,63,a7
.
Celkový čas: 2010-02-08 23:09:49
ComboFix-quarantined-files.txt 2010-02-08 22:09
Před spuštěním: Volných bajtů: 20 373 991 424
Po spuštění: Volných bajtů: 20 427 616 256
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - DEB766E22C6C9C46AD0D7E3B6522AE7B
Pokud nemáte, přesuňte Combofix na plochu
