Dobrý den. chtěl bych Vás požádat o pomoc s Rootkit-gen, Avast 4.8 mi hlásí nález v systému myslim soubor obdffd.sys. Když ho dám smazat tak za půl hodiny mi ten samý soubor zase najde. I když použiji MSCONFIG ve spuštění a vypnu v liště PO SPUŠTĚNÍ - winesm32 tak dalším startem počítače je tam znova.
Provedl jsem souštění combofix a tady posílám log:
Předem děkuji za pomoc.
ComboFix 10-03-06.06 - Jenda 07.03.2010 10:58:34.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2047.1594 [GMT 1:00]
Spuštěný z: c:\documents and settings\Jenda\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1201 [VPS 100306-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Jenda\Data aplikací\Microsoft\svchosts.exe
c:\documents and settings\Jenda\Dokumenty\cc_20090124_155628.reg
c:\documents and settings\Jenda\Dokumenty\cc_20091029_162951.reg
c:\documents and settings\Jenda\Dokumenty\cc_20091029_184128.reg
c:\documents and settings\Jenda\Dokumenty\cc_20091209_204515.reg
c:\windows\AegisP.inf
c:\windows\system32\ieuinit.inf
c:\windows\system32\phcrdgj0e70g.bmp
c:\windows\system32\pphcrdgj0e70g.exe
c:\windows\system32\vb40032.dll
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-07 do 2010-03-07 )))))))))))))))))))))))))))))))
.
2010-03-06 10:49 . 2010-03-06 11:02 -------- d-----w- C:\AVATAR
2010-03-06 08:51 . 2010-03-06 08:53 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2010-03-06 08:51 . 2007-12-10 13:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2010-03-06 08:51 . 2007-12-10 13:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2010-03-06 08:51 . 2007-12-10 13:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2010-03-05 11:20 . 2010-03-05 15:39 -------- d-----w- c:\program files\Freeware PDF Unlocker
2010-02-28 10:07 . 2008-05-16 00:15 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-28 10:07 . 2008-05-16 00:14 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-28 10:07 . 2008-05-16 00:13 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-28 10:07 . 2008-05-16 00:20 78416 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-28 10:07 . 2008-05-16 00:16 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-28 10:07 . 2008-05-16 00:12 95608 ----a-w- c:\windows\system32\AvastSS.scr
2010-02-28 10:07 . 2008-05-16 00:18 94416 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-28 10:07 . 2008-01-17 17:34 93264 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-28 10:06 . 2008-05-16 00:24 1152888 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-28 09:39 . 2010-02-28 10:06 -------- d-----w- c:\program files\Alwil Software
2010-02-27 20:18 . 2010-03-07 10:02 792064 ----a-w- c:\windows\system32\drivers\obbdfd.sys
2010-02-26 19:41 . 2008-03-05 14:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-02-26 19:32 . 2007-03-01 12:38 1417216 ----a-w- c:\windows\system32\iSED.dll
2010-02-26 19:32 . 2010-02-26 19:32 -------- d-----w- c:\program files\Split and Merge PDF
2010-02-21 11:35 . 2010-02-21 11:42 -------- d-----w- C:\bobik
2010-02-17 18:37 . 2010-02-24 12:31 -------- d-----w- c:\program files\Stavební fyzika
2010-02-17 15:48 . 2010-02-17 15:48 -------- d-----w- c:\program files\Common Files\DWGdirectX 2.5
2010-02-17 15:44 . 2008-05-08 10:37 2741248 ----a-w- c:\windows\system32\CyViewer.dll
2010-02-17 15:43 . 2006-09-26 05:44 62464 ----a-w- c:\windows\system32\sevLock.dll
2010-02-13 13:54 . 2010-02-24 12:29 -------- d-----w- c:\program files\Common Files\Svoboda Software
2010-02-12 15:22 . 2010-02-12 15:22 -------- d-sh--w- c:\windows\ftpcache
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 10:48 . 2008-08-10 07:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-06 09:04 . 2008-08-21 13:50 -------- d-----w- c:\program files\Spyware Doctor
2010-02-26 20:03 . 2008-08-10 08:31 27335 ----a-w- c:\windows\system32\nvModes.dat
2010-01-14 17:44 . 2010-01-14 17:41 -------- d-----w- c:\program files\DrivingSpeed2
2008-12-03 15:32 . 2008-12-03 15:05 88 --sh--r- c:\windows\system32\A7AC9EF47D.sys
2009-07-06 13:09 . 2008-12-03 15:05 2880 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"nwiz"="nwiz.exe" [2007-09-28 1626112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-28 8491008]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-17 110592]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"QuickTime Task"="c:\programy\QuickTime\qttask.exe" [2008-05-27 413696]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\Jenda\Nabˇdka Start\Programy\Po spuçtŘnˇ\
winesm32.exe [2004-8-17 29184]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Jenda^Nabídka Start^Programy^Po spuštění^Adobe Gamma.lnk]
path=c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Jenda^Nabídka Start^Programy^Po spuštění^MagicDisc.lnk]
path=c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Jenda^Nabídka Start^Programy^Po spuštění^winesm32.exe]
path=c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\winesm32.exe
backup=c:\windows\pss\winesm32.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABUNINSTALLEX]
2007-07-03 10:37 263664 ----a-w- c:\documents and settings\All Users\Data aplikací\AB Studio\ABUnInstallEx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 11:06 40048 ----a-w- c:\programy\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonHK]
2007-03-15 14:37 32768 ----a-w- c:\windows\BisonCam\BisonHK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BsMnt]
2007-03-15 14:34 172032 ----a-w- c:\windows\BisonCam\BsMnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehRecord]
2007-12-31 14:30 221184 ----a-w- c:\program files\USB_video_device\Utility\MS_Tool\ehRecord.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 04:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MGSysCtrl]
2007-11-21 08:33 180224 ----a-w- c:\program files\System Control Manager\MGSysCtrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-17 13:58 1667584 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-10-02 06:00 1124352 ----a-w- c:\programy\Nokia\Nokia PC Suite 7\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 08:50 413696 ----a-w- c:\programy\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 03:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse]
2005-11-30 10:48 94208 ----a-w- c:\programy\Multimedia Mouse Driver\StartAutorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programy\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programy\\Nero 7\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Programy\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Graphisoft\\ArchiCAD 10\\ArchiCAD.exe"=
"c:\\Programy\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Total Uninstall 5\\TuAgent.exe"=
"c:\\Program Files\\Total Uninstall 5\\TuStarter.exe"=
"c:\\Program Files\\Total Uninstall 5\\Tu.exe"=
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [10.8.2008 9:29 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [10.8.2008 9:29 35712]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [28.2.2010 11:07 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [28.2.2010 11:07 20560]
R3 MGHwCtrl;MGHwCtrl;c:\windows\system32\drivers\MGHwCtrl.sys [8.10.2009 14:43 9088]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10.8.2008 11:00 717296]
S2 NishService;SCM Driver Daemon;c:\program files\System Control Manager\edd.exe [8.10.2009 14:43 40960]
S3 MKSAWT;MKSAWT;c:\docume~1\Jenda\LOCALS~1\Temp\MKSAWT.exe --> c:\docume~1\Jenda\LOCALS~1\Temp\MKSAWT.exe [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [23.7.2009 18:46 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [23.7.2009 18:46 8320]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6.3.2010 9:51 337800]
--- Ostatní služby/ovladače v paměti ---
*Deregistered* - obbdfd
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
TCP: {DFB6E3EF-E23E-4885-AFFD-12CA55F26482} = 213.226.224.12,194.213.224.1
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
FF - ProfilePath - c:\documents and settings\Jenda\Data aplikací\Mozilla\Firefox\Profiles\6az372hp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - plugin: c:\programy\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin7.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKU-Default-Run-Nokia.PCSync - c:\programy\Nokia\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-Adobe Photo Downloader - c:\programy\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
MSConfigStartUp-Kalendar - c:\programy\Kalendar\kalendar.exe
MSConfigStartUp-lphcrdgj0e70g - c:\windows\system32\lphcrdgj0e70g.exe
MSConfigStartUp-SMrhcvdgj0e70g - c:\program files\rhcvdgj0e70g\rhcvdgj0e70g.exe
MSConfigStartUp-Somefox - c:\docume~1\Jenda\LOCALS~1\Temp\setup1018.exe
MSConfigStartUp-svchosts - c:\documents and settings\Jenda\Data aplikací\Microsoft\svchosts.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-sysgif32 - c:\windows\TEMP\~TMC.tmp
MSConfigStartUp-Videohost - c:\docume~1\Jenda\LOCALS~1\Temp\c.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 11:02
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\obbdfd]
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{630D90F8-D045-0C77-AEFA-80B2E1A351B0}\InProcServer32*]
"oafooeoomaadldcbdojlmeogapefad"=hex:6b,61,65,66,67,61,6f,65,64,61,68,69,64,6c,
69,6c,67,70,64,65,6d,6b,00,02
"nafoieinmdmnbpcogmhjlebjpmla"=hex:6b,61,6c,66,64,61,66,68,6b,65,6f,68,61,6b,
62,66,6b,61,68,70,66,68,00,00
.
Celkový čas: 2010-03-07 11:03:41
ComboFix-quarantined-files.txt 2010-03-07 10:03
Před spuštěním: Volných bajtů: 104 186 228 736
Po spuštění: Volných bajtů: 104 710 119 424
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - B83D4A87636C28C6C303EBE9B6FE6A87
Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
POMOC ROOTKIT-GEN
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: POMOC ROOTKIT-GEN
Zdravím 
Na logu se pracuje, prosím o strpení.
Nedoporučuji používat ComboFix z vlastní iniciativy, může dojít k poškození systému!
Na logu se pracuje, prosím o strpení.
Nedoporučuji používat ComboFix z vlastní iniciativy, může dojít k poškození systému!
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: POMOC ROOTKIT-GEN
Pokud nemáte, přesuňte Combofix na plochu
- Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.
Kód: Vybrat vše
Driver::
MKSAWT
obbdfd
File::
c:\docume~1\Jenda\LOCALS~1\Temp\MKSAWT.exe
c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\winesm32.exe
c:\windows\pss\winesm32.exe
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{630D90F8-D045-0C77-AEFA-80B2E1A351B0}\InProcServer32*]
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Jenda^Nabídka Start^Programy^Po spuštění^winesm32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]- Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
- Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
- Po aplikaci na Vás vypadne další log,vložte ho sem
POMOC ROOTKIT-GEN
Když jsem ten txt přetáhl na program, znovu se stalo to co při spuštění, nevím zda je to dobře nebo ne , ale log co pak přišel posílám zde:
ComboFix 10-03-06.06 - Jenda 07.03.2010 11:46:12.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2047.1596 [GMT 1:00]
Spuštěný z: c:\documents and settings\Jenda\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Jenda\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1201 [VPS 100306-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FILE ::
"c:\docume~1\Jenda\LOCALS~1\Temp\MKSAWT.exe"
"c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\winesm32.exe"
"c:\windows\pss\winesm32.exe"
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\winesm32.exe
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MKSAWT
-------\Legacy_OBBDFD
-------\Service_MKSAWT
-------\Service_obbdfd
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-07 do 2010-03-07 )))))))))))))))))))))))))))))))
.
2010-03-06 10:49 . 2010-03-06 11:02 -------- d-----w- C:\AVATAR
2010-03-06 08:51 . 2010-03-06 08:53 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2010-03-06 08:51 . 2007-12-10 13:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2010-03-06 08:51 . 2007-12-10 13:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2010-03-06 08:51 . 2007-12-10 13:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2010-03-05 11:20 . 2010-03-05 15:39 -------- d-----w- c:\program files\Freeware PDF Unlocker
2010-02-28 10:07 . 2008-05-16 00:15 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-28 10:07 . 2008-05-16 00:14 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-28 10:07 . 2008-05-16 00:13 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-28 10:07 . 2008-05-16 00:20 78416 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-28 10:07 . 2008-05-16 00:16 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-28 10:07 . 2008-05-16 00:12 95608 ----a-w- c:\windows\system32\AvastSS.scr
2010-02-28 10:07 . 2008-05-16 00:18 94416 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-28 10:07 . 2008-01-17 17:34 93264 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-28 10:06 . 2008-05-16 00:24 1152888 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-28 09:39 . 2010-02-28 10:06 -------- d-----w- c:\program files\Alwil Software
2010-02-27 20:18 . 2010-03-07 10:51 792064 ----a-w- c:\windows\system32\drivers\obbdfd.sys
2010-02-26 19:41 . 2008-03-05 14:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-02-26 19:32 . 2007-03-01 12:38 1417216 ----a-w- c:\windows\system32\iSED.dll
2010-02-26 19:32 . 2010-02-26 19:32 -------- d-----w- c:\program files\Split and Merge PDF
2010-02-21 11:35 . 2010-02-21 11:42 -------- d-----w- C:\bobik
2010-02-17 18:37 . 2010-02-24 12:31 -------- d-----w- c:\program files\Stavební fyzika
2010-02-17 15:48 . 2010-02-17 15:48 -------- d-----w- c:\program files\Common Files\DWGdirectX 2.5
2010-02-17 15:44 . 2008-05-08 10:37 2741248 ----a-w- c:\windows\system32\CyViewer.dll
2010-02-17 15:43 . 2006-09-26 05:44 62464 ----a-w- c:\windows\system32\sevLock.dll
2010-02-13 13:54 . 2010-02-24 12:29 -------- d-----w- c:\program files\Common Files\Svoboda Software
2010-02-12 15:22 . 2010-02-12 15:22 -------- d-sh--w- c:\windows\ftpcache
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 10:48 . 2008-08-10 07:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-06 09:04 . 2008-08-21 13:50 -------- d-----w- c:\program files\Spyware Doctor
2010-02-26 20:03 . 2008-08-10 08:31 27335 ----a-w- c:\windows\system32\nvModes.dat
2010-01-14 17:44 . 2010-01-14 17:41 -------- d-----w- c:\program files\DrivingSpeed2
2008-12-03 15:32 . 2008-12-03 15:05 88 --sh--r- c:\windows\system32\A7AC9EF47D.sys
2009-07-06 13:09 . 2008-12-03 15:05 2880 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-03-07_10.02.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-07 10:52 . 2010-03-07 10:52 16384 c:\windows\Temp\Perflib_Perfdata_bc.dat
+ 2010-03-07 10:52 . 2010-03-07 10:52 16384 c:\windows\Temp\Perflib_Perfdata_764.dat
+ 2010-03-07 10:42 . 2010-03-07 10:42 1532 c:\windows\SoftwareDistribution\EventCache\{8761D485-1863-48C4-8705-A1D47E47932A}.bin
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"nwiz"="nwiz.exe" [2007-09-28 1626112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-28 8491008]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-17 110592]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"QuickTime Task"="c:\programy\QuickTime\qttask.exe" [2008-05-27 413696]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Jenda^Nabídka Start^Programy^Po spuštění^Adobe Gamma.lnk]
path=c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Jenda^Nabídka Start^Programy^Po spuštění^MagicDisc.lnk]
path=c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABUNINSTALLEX]
2007-07-03 10:37 263664 ----a-w- c:\documents and settings\All Users\Data aplikací\AB Studio\ABUnInstallEx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 11:06 40048 ----a-w- c:\programy\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonHK]
2007-03-15 14:37 32768 ----a-w- c:\windows\BisonCam\BisonHK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BsMnt]
2007-03-15 14:34 172032 ----a-w- c:\windows\BisonCam\BsMnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehRecord]
2007-12-31 14:30 221184 ----a-w- c:\program files\USB_video_device\Utility\MS_Tool\ehRecord.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 04:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MGSysCtrl]
2007-11-21 08:33 180224 ----a-w- c:\program files\System Control Manager\MGSysCtrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-17 13:58 1667584 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-10-02 06:00 1124352 ----a-w- c:\programy\Nokia\Nokia PC Suite 7\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 08:50 413696 ----a-w- c:\programy\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 03:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse]
2005-11-30 10:48 94208 ----a-w- c:\programy\Multimedia Mouse Driver\StartAutorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programy\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programy\\Nero 7\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Programy\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Graphisoft\\ArchiCAD 10\\ArchiCAD.exe"=
"c:\\Programy\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Total Uninstall 5\\TuAgent.exe"=
"c:\\Program Files\\Total Uninstall 5\\TuStarter.exe"=
"c:\\Program Files\\Total Uninstall 5\\Tu.exe"=
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [10.8.2008 9:29 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [10.8.2008 9:29 35712]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10.8.2008 11:00 717296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [28.2.2010 11:07 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [28.2.2010 11:07 20560]
R2 NishService;SCM Driver Daemon;c:\program files\System Control Manager\edd.exe [8.10.2009 14:43 40960]
R3 MGHwCtrl;MGHwCtrl;c:\windows\system32\drivers\MGHwCtrl.sys [8.10.2009 14:43 9088]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [23.7.2009 18:46 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [23.7.2009 18:46 8320]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6.3.2010 9:51 337800]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
TCP: {DFB6E3EF-E23E-4885-AFFD-12CA55F26482} = 213.226.224.12,194.213.224.1
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
FF - ProfilePath - c:\documents and settings\Jenda\Data aplikací\Mozilla\Firefox\Profiles\6az372hp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - plugin: c:\programy\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin7.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 11:54
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6251F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba92cfc3
\Driver\ACPI -> ACPI.sys @ 0xba647cb8
\Driver\atapi -> 0x8a6251f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
NDIS: Bluetooth Device (Personal Area Network) -> SendCompleteHandler -> NDIS.sys @ 0xba3b7ba0
PacketIndicateHandler -> NDIS.sys @ 0xba3a6a0b
SendHandler -> NDIS.sys @ 0xba3bab31
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{630D90F8-D045-0C77-AEFA-80B2E1A351B0}\InProcServer32*]
"oafooeoomaadldcbdojlmeogapefad"=hex:6b,61,65,66,67,61,6f,65,64,61,68,69,64,6c,
69,6c,67,70,64,65,6d,6b,00,02
"nafoieinmdmnbpcogmhjlebjpmla"=hex:6b,61,6c,66,64,61,66,68,6b,65,6f,68,61,6b,
62,66,6b,61,68,70,66,68,00,00
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\RTHDCPL.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\O2Micro Oz128 Driver\o2flash.exe
c:\windows\system32\PSIService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2010-03-07 11:59:01 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-07 10:58
ComboFix2.txt 2010-03-07 10:03
Před spuštěním: Volných bajtů: 104 706 367 488
Po spuštění: Volných bajtů: 104 585 117 696
- - End Of File - - 59EE7B778D5CA96845E0094A6B3F8BF9
ComboFix 10-03-06.06 - Jenda 07.03.2010 11:46:12.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2047.1596 [GMT 1:00]
Spuštěný z: c:\documents and settings\Jenda\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Jenda\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1201 [VPS 100306-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FILE ::
"c:\docume~1\Jenda\LOCALS~1\Temp\MKSAWT.exe"
"c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\winesm32.exe"
"c:\windows\pss\winesm32.exe"
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\winesm32.exe
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MKSAWT
-------\Legacy_OBBDFD
-------\Service_MKSAWT
-------\Service_obbdfd
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-07 do 2010-03-07 )))))))))))))))))))))))))))))))
.
2010-03-06 10:49 . 2010-03-06 11:02 -------- d-----w- C:\AVATAR
2010-03-06 08:51 . 2010-03-06 08:53 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2010-03-06 08:51 . 2007-12-10 13:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2010-03-06 08:51 . 2007-12-10 13:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2010-03-06 08:51 . 2007-12-10 13:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2010-03-05 11:20 . 2010-03-05 15:39 -------- d-----w- c:\program files\Freeware PDF Unlocker
2010-02-28 10:07 . 2008-05-16 00:15 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-28 10:07 . 2008-05-16 00:14 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-28 10:07 . 2008-05-16 00:13 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-28 10:07 . 2008-05-16 00:20 78416 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-28 10:07 . 2008-05-16 00:16 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-28 10:07 . 2008-05-16 00:12 95608 ----a-w- c:\windows\system32\AvastSS.scr
2010-02-28 10:07 . 2008-05-16 00:18 94416 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-28 10:07 . 2008-01-17 17:34 93264 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-28 10:06 . 2008-05-16 00:24 1152888 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-28 09:39 . 2010-02-28 10:06 -------- d-----w- c:\program files\Alwil Software
2010-02-27 20:18 . 2010-03-07 10:51 792064 ----a-w- c:\windows\system32\drivers\obbdfd.sys
2010-02-26 19:41 . 2008-03-05 14:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-02-26 19:32 . 2007-03-01 12:38 1417216 ----a-w- c:\windows\system32\iSED.dll
2010-02-26 19:32 . 2010-02-26 19:32 -------- d-----w- c:\program files\Split and Merge PDF
2010-02-21 11:35 . 2010-02-21 11:42 -------- d-----w- C:\bobik
2010-02-17 18:37 . 2010-02-24 12:31 -------- d-----w- c:\program files\Stavební fyzika
2010-02-17 15:48 . 2010-02-17 15:48 -------- d-----w- c:\program files\Common Files\DWGdirectX 2.5
2010-02-17 15:44 . 2008-05-08 10:37 2741248 ----a-w- c:\windows\system32\CyViewer.dll
2010-02-17 15:43 . 2006-09-26 05:44 62464 ----a-w- c:\windows\system32\sevLock.dll
2010-02-13 13:54 . 2010-02-24 12:29 -------- d-----w- c:\program files\Common Files\Svoboda Software
2010-02-12 15:22 . 2010-02-12 15:22 -------- d-sh--w- c:\windows\ftpcache
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 10:48 . 2008-08-10 07:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-06 09:04 . 2008-08-21 13:50 -------- d-----w- c:\program files\Spyware Doctor
2010-02-26 20:03 . 2008-08-10 08:31 27335 ----a-w- c:\windows\system32\nvModes.dat
2010-01-14 17:44 . 2010-01-14 17:41 -------- d-----w- c:\program files\DrivingSpeed2
2008-12-03 15:32 . 2008-12-03 15:05 88 --sh--r- c:\windows\system32\A7AC9EF47D.sys
2009-07-06 13:09 . 2008-12-03 15:05 2880 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-03-07_10.02.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-07 10:52 . 2010-03-07 10:52 16384 c:\windows\Temp\Perflib_Perfdata_bc.dat
+ 2010-03-07 10:52 . 2010-03-07 10:52 16384 c:\windows\Temp\Perflib_Perfdata_764.dat
+ 2010-03-07 10:42 . 2010-03-07 10:42 1532 c:\windows\SoftwareDistribution\EventCache\{8761D485-1863-48C4-8705-A1D47E47932A}.bin
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"nwiz"="nwiz.exe" [2007-09-28 1626112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-28 8491008]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-17 110592]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"QuickTime Task"="c:\programy\QuickTime\qttask.exe" [2008-05-27 413696]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Jenda^Nabídka Start^Programy^Po spuštění^Adobe Gamma.lnk]
path=c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Jenda^Nabídka Start^Programy^Po spuštění^MagicDisc.lnk]
path=c:\documents and settings\Jenda\Nabídka Start\Programy\Po spuštění\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABUNINSTALLEX]
2007-07-03 10:37 263664 ----a-w- c:\documents and settings\All Users\Data aplikací\AB Studio\ABUnInstallEx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 11:06 40048 ----a-w- c:\programy\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonHK]
2007-03-15 14:37 32768 ----a-w- c:\windows\BisonCam\BisonHK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BsMnt]
2007-03-15 14:34 172032 ----a-w- c:\windows\BisonCam\BsMnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehRecord]
2007-12-31 14:30 221184 ----a-w- c:\program files\USB_video_device\Utility\MS_Tool\ehRecord.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 04:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MGSysCtrl]
2007-11-21 08:33 180224 ----a-w- c:\program files\System Control Manager\MGSysCtrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-17 13:58 1667584 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-10-02 06:00 1124352 ----a-w- c:\programy\Nokia\Nokia PC Suite 7\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 08:50 413696 ----a-w- c:\programy\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 03:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse]
2005-11-30 10:48 94208 ----a-w- c:\programy\Multimedia Mouse Driver\StartAutorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programy\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programy\\Nero 7\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Programy\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Graphisoft\\ArchiCAD 10\\ArchiCAD.exe"=
"c:\\Programy\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Total Uninstall 5\\TuAgent.exe"=
"c:\\Program Files\\Total Uninstall 5\\TuStarter.exe"=
"c:\\Program Files\\Total Uninstall 5\\Tu.exe"=
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [10.8.2008 9:29 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [10.8.2008 9:29 35712]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10.8.2008 11:00 717296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [28.2.2010 11:07 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [28.2.2010 11:07 20560]
R2 NishService;SCM Driver Daemon;c:\program files\System Control Manager\edd.exe [8.10.2009 14:43 40960]
R3 MGHwCtrl;MGHwCtrl;c:\windows\system32\drivers\MGHwCtrl.sys [8.10.2009 14:43 9088]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [23.7.2009 18:46 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [23.7.2009 18:46 8320]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6.3.2010 9:51 337800]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
TCP: {DFB6E3EF-E23E-4885-AFFD-12CA55F26482} = 213.226.224.12,194.213.224.1
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
FF - ProfilePath - c:\documents and settings\Jenda\Data aplikací\Mozilla\Firefox\Profiles\6az372hp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - plugin: c:\programy\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\programy\QuickTime\Plugins\npqtplugin7.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 11:54
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6251F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba92cfc3
\Driver\ACPI -> ACPI.sys @ 0xba647cb8
\Driver\atapi -> 0x8a6251f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
NDIS: Bluetooth Device (Personal Area Network) -> SendCompleteHandler -> NDIS.sys @ 0xba3b7ba0
PacketIndicateHandler -> NDIS.sys @ 0xba3a6a0b
SendHandler -> NDIS.sys @ 0xba3bab31
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{630D90F8-D045-0C77-AEFA-80B2E1A351B0}\InProcServer32*]
"oafooeoomaadldcbdojlmeogapefad"=hex:6b,61,65,66,67,61,6f,65,64,61,68,69,64,6c,
69,6c,67,70,64,65,6d,6b,00,02
"nafoieinmdmnbpcogmhjlebjpmla"=hex:6b,61,6c,66,64,61,66,68,6b,65,6f,68,61,6b,
62,66,6b,61,68,70,66,68,00,00
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\RTHDCPL.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\O2Micro Oz128 Driver\o2flash.exe
c:\windows\system32\PSIService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2010-03-07 11:59:01 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-07 10:58
ComboFix2.txt 2010-03-07 10:03
Před spuštěním: Volných bajtů: 104 706 367 488
Po spuštění: Volných bajtů: 104 585 117 696
- - End Of File - - 59EE7B778D5CA96845E0094A6B3F8BF9
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: POMOC ROOTKIT-GEN
Odinstalujte všechny emulátory virtuálních mechanik. Stáhněte SPTD http://www.duplexsecure.com/en/downloads
- Vyberte verzi podle svého operačního systému (64 & 32b). Uložte na plochu a spusťte.
- zvolte možnost Uninstall a restartujte PC.
Stáhněte MBR na plochu http://www2.gmer.net/mbr/mbr.exe Start > Spustit (Win + R)- Vyskočí okénko, zkopírujte do něj:
Kód: Vybrat vše
"%userprofile%\plocha\mbr" -t- Klikněte na OK
- Vytvoří se log s názvem mbr.log, vložte ho sem.
Dejte log z Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878Re: POMOC ROOTKIT-GEN
LOG Z MBR
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
LOG Z GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-07 12:45:18
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Jenda\LOCALS~1\Temp\ufdyypob.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- EOF - GMER 1.0.15 ----
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
LOG Z GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-07 12:45:18
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Jenda\LOCALS~1\Temp\ufdyypob.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- EOF - GMER 1.0.15 ----
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: POMOC ROOTKIT-GEN
Jaký myslíte log 2 ? Mě ten GMER nenabízí log2.
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: POMOC ROOTKIT-GEN
Tak jsem provedl ten druhy log, ale ten sken jsem nedokončil, skončil jsem ho tak po hodině a půl. Ale to co se našlo tak tady posílám. Děkuji za odpověď
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-07 14:58:11
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Jenda\LOCALS~1\Temp\ufdyypob.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB7BD9588]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB7BD9444]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xB7EB8794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xB7EB8F1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xB7EBC1F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB7BD9922]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB7BD901C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB7BD951E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB7BD8F5C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB7BD8FC0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB7BD963E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xB7EBD12A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB7BD95FE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB7BD977E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xB7EB7D0A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xB7EB7384]
INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B51F616D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B51F5FC2
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB98A1360, 0x3074E7, 0xE8000020]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB4E5A400, 0x87EE2, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB4EFE620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB4EFE620]
.protect˙˙˙˙hardlockunknown last code section [0xB4EFE400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB4EFE400, 0x5126, 0xE0000020]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[1100] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002
IAT C:\WINDOWS\system32\services.exe[1100] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d921e5c5f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d921e5c5f@0022fc47ebb4 0xA1 0xED 0xAF 0x91 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x08 0xE1 0x22 0x05 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programy\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xF9 0x42 0xC3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA7 0xCE 0x31 0xD8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4A 0x90 0x38 0x30 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x35 0xF7 0xC3 0xF5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001d921e5c5f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001d921e5c5f@0022fc47ebb4 0xA1 0xED 0xAF 0x91 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x08 0xE1 0x22 0x05 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programy\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xF9 0x42 0xC3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA7 0xCE 0x31 0xD8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4A 0x90 0x38 0x30 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x35 0xF7 0xC3 0xF5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{630D90F8-D045-0C77-AEFA-80B2E1A351B0}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{630D90F8-D045-0C77-AEFA-80B2E1A351B0}\InProcServer32@oafooeoomaadldcbdojlmeogapefad 0x6B 0x61 0x65 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{630D90F8-D045-0C77-AEFA-80B2E1A351B0}\InProcServer32@nafoieinmdmnbpcogmhjlebjpmla 0x6B 0x61 0x6C 0x66 ...
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-07 14:58:11
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Jenda\LOCALS~1\Temp\ufdyypob.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB7BD9588]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB7BD9444]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xB7EB8794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xB7EB8F1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xB7EBC1F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB7BD9922]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB7BD901C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB7BD951E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB7BD8F5C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB7BD8FC0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB7BD963E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xB7EBD12A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB7BD95FE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB7BD977E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xB7EB7D0A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xB7EB7384]
INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B51F616D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B51F5FC2
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB98A1360, 0x3074E7, 0xE8000020]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB4E5A400, 0x87EE2, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB4EFE620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB4EFE620]
.protect˙˙˙˙hardlockunknown last code section [0xB4EFE400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB4EFE400, 0x5126, 0xE0000020]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[1100] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002
IAT C:\WINDOWS\system32\services.exe[1100] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d921e5c5f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d921e5c5f@0022fc47ebb4 0xA1 0xED 0xAF 0x91 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x08 0xE1 0x22 0x05 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programy\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xF9 0x42 0xC3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA7 0xCE 0x31 0xD8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4A 0x90 0x38 0x30 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x35 0xF7 0xC3 0xF5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001d921e5c5f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001d921e5c5f@0022fc47ebb4 0xA1 0xED 0xAF 0x91 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x08 0xE1 0x22 0x05 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programy\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xF9 0x42 0xC3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA7 0xCE 0x31 0xD8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4A 0x90 0x38 0x30 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x35 0xF7 0xC3 0xF5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{630D90F8-D045-0C77-AEFA-80B2E1A351B0}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{630D90F8-D045-0C77-AEFA-80B2E1A351B0}\InProcServer32@oafooeoomaadldcbdojlmeogapefad 0x6B 0x61 0x65 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{630D90F8-D045-0C77-AEFA-80B2E1A351B0}\InProcServer32@nafoieinmdmnbpcogmhjlebjpmla 0x6B 0x61 0x6C 0x66 ...
---- EOF - GMER 1.0.15 ----
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: POMOC ROOTKIT-GEN
No tak vše jde jak má, hláška už nevyskakuje. Takže myslím že dobré.
Děkuju za pomoc
Děkuju za pomoc
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Přispějete na provoz fóra?