VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

vir Alureon.B nelze odstranit

https://forum.viry.cz:443/viewtopic.php?t=99012

Stránka 1 z 3

vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 17:17
od swobi
microsoft security essentials vyhledal vir Alureon.B ktery ale nejde odtranit proto teda prosim o pomoc a prikladam vypis z log

Logfile of random's system information tool 1.06 (written by random/random)
Run by Jan Svoboda at 2010-03-17 17:08:54
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 8 GB (2%) free of 477 GB
Total RAM: 2046 MB (41% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\User_Feed_Synchronization-{D3BCFB12-CB3B-472F-9F00-1BB3D1BD21C9}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-02-01 1377576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Pomocná služba pro přihlášení ke službě Windows Live ID - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE}]
QIPBHO Class - C:\Users\Jan Svoboda\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll [2009-07-14 150768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-30 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-01 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-01 148888]
"MSSE"=c:\Program Files\Microsoft Security Essentials\msseces.exe [2010-02-21 1093208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"PC Suite Tray"=C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe [2009-06-12 1414144]
"QIP2005"=C:\Program Files\QIP\qip.exe [2009-08-13 3276288]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a825093-ca25-11de-9696-001d7d9b2181}]
shell\AutoRun\command - I:\StartUp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7dc171e-b272-11de-8df5-001d7d9b2181}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8b888d1-eb82-11dc-9832-001d7d9b2181}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce712d85-a269-11dd-ba48-001d7d9b2181}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL J:\Recycled\ctfmon.exe
shell\Open(0)\command - J:\Recycled\ctfmon.exe


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*
.scr - open - "C:\Windows\system32\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2010-03-17 17:08:55 ----D---- C:\Program Files\trend micro
2010-03-17 17:08:54 ----D---- C:\rsit
2010-03-17 15:09:56 ----SHD---- C:\Config.Msi
2010-03-17 15:03:46 ----D---- C:\Program Files\Common Files\ParetoLogic
2010-03-17 14:44:48 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\Malwarebytes
2010-03-17 14:44:44 ----D---- C:\ProgramData\Malwarebytes
2010-03-14 14:49:41 ----D---- C:\Program Files\Common Files\PCSuite
2010-03-14 14:49:37 ----D---- C:\Program Files\Common Files\Nokia
2010-03-14 14:49:18 ----D---- C:\Program Files\PC Connectivity Solution
2010-03-12 17:04:22 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\Opera
2010-03-12 17:04:14 ----D---- C:\Program Files\Opera
2010-03-12 15:58:18 ----D---- C:\Program Files\NVIDIA Corporation
2010-03-12 15:57:07 ----A---- C:\Windows\system32\browserchoice.exe
2010-03-12 07:21:59 ----A---- C:\Windows\system32\nshhttp.dll
2010-03-12 07:21:57 ----A---- C:\Windows\system32\httpapi.dll
2010-02-26 15:22:24 ----A---- C:\Windows\system32\reboot.txt
2010-02-26 15:05:02 ----D---- C:\Program Files\Microsoft Security Essentials
2010-02-24 15:33:01 ----D---- C:\Program Files\Venetica
2010-02-24 13:38:55 ----A---- C:\Windows\system32\jscript.dll
2010-02-24 13:38:50 ----A---- C:\Windows\system32\tzres.dll
2010-02-24 13:38:38 ----A---- C:\Windows\system32\secproc_isv.dll
2010-02-24 13:38:38 ----A---- C:\Windows\system32\secproc.dll
2010-02-24 13:38:32 ----A---- C:\Windows\system32\RMActivate_isv.exe
2010-02-24 13:38:31 ----A---- C:\Windows\system32\RMActivate_ssp_isv.exe
2010-02-24 13:38:31 ----A---- C:\Windows\system32\RMActivate_ssp.exe
2010-02-24 13:38:30 ----A---- C:\Windows\system32\RMActivate.exe
2010-02-24 13:38:29 ----A---- C:\Windows\system32\secproc_ssp_isv.dll
2010-02-24 13:38:29 ----A---- C:\Windows\system32\secproc_ssp.dll
2010-02-24 13:38:29 ----A---- C:\Windows\system32\msdrm.dll
2010-02-24 13:38:28 ----A---- C:\Windows\system32\gameux.dll
2010-02-24 13:38:27 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-02-24 13:38:27 ----A---- C:\Windows\system32\Apphlpdm.dll

======List of files/folders modified in the last 1 months======

2010-03-17 17:08:55 ----RD---- C:\Program Files
2010-03-17 17:08:52 ----D---- C:\Windows\Temp
2010-03-17 16:47:24 ----D---- C:\Windows\system32\drivers
2010-03-17 15:10:00 ----SHD---- C:\Windows\Installer
2010-03-17 15:09:59 ----HD---- C:\ProgramData
2010-03-17 15:09:58 ----D---- C:\Windows\System32
2010-03-17 15:09:48 ----D---- C:\Windows\Tasks
2010-03-17 15:09:48 ----D---- C:\Windows\system32\catroot
2010-03-17 15:03:57 ----D---- C:\Windows\system32\Tasks
2010-03-17 15:03:46 ----D---- C:\Program Files\Common Files
2010-03-17 14:57:49 ----AD---- C:\ProgramData\TEMP
2010-03-17 14:57:38 ----D---- C:\Windows
2010-03-17 14:54:02 ----D---- C:\Windows\Prefetch
2010-03-17 14:39:21 ----D---- C:\Windows\inf
2010-03-17 14:39:21 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-03-17 14:33:38 ----SHD---- C:\System Volume Information
2010-03-17 14:33:37 ----D---- C:\Windows\Logs
2010-03-16 19:48:13 ----D---- C:\ProgramData\Google Updater
2010-03-14 15:00:01 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\Nokia
2010-03-14 14:51:13 ----D---- C:\Windows\SoftwareDistribution
2010-03-14 14:49:39 ----D---- C:\Program Files\Nokia
2010-03-14 14:49:29 ----D---- C:\Program Files\DIFX
2010-03-14 14:49:28 ----DC---- C:\Windows\system32\DRVSTORE
2010-03-14 14:48:18 ----D---- C:\Windows\system32\catroot2
2010-03-14 14:47:53 ----D---- C:\ProgramData\Installations
2010-03-12 16:55:54 ----D---- C:\Program Files\Mozilla Firefox
2010-03-12 15:59:08 ----D---- C:\ProgramData\NVIDIA
2010-03-12 15:57:21 ----D---- C:\Windows\winsxs
2010-03-12 14:08:22 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\IM
2010-03-12 13:45:43 ----D---- C:\Windows\system32\LogFiles
2010-03-12 11:30:02 ----D---- C:\Windows\Debug
2010-03-12 07:25:54 ----D---- C:\Program Files\Windows Mail
2010-03-12 07:25:54 ----D---- C:\Program Files\Movie Maker
2010-03-12 07:24:49 ----D---- C:\ProgramData\Microsoft Help
2010-03-07 18:27:45 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\DVD Flick
2010-03-05 15:07:33 ----D---- C:\Program Files\Warcraft III
2010-03-02 06:30:12 ----A---- C:\Windows\system32\mrt.exe
2010-02-26 15:33:15 ----A---- C:\Windows\win.ini
2010-02-26 15:22:28 ----D---- C:\Program Files\Hewlett-Packard
2010-02-26 14:52:16 ----D---- C:\Program Files\CCleaner
2010-02-25 15:11:54 ----D---- C:\Windows\rescache
2010-02-25 10:17:27 ----RSD---- C:\Windows\Fonts
2010-02-25 10:17:27 ----D---- C:\Windows\system32\cs-CZ
2010-02-25 10:17:27 ----D---- C:\Windows\AppPatch
2010-02-24 10:16:06 ----N---- C:\Windows\system32\MpSigStub.exe
2010-02-21 14:27:36 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\Skype
2010-02-21 14:26:29 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\skypePM

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ElbyCDIO;ElbyCDIO Driver; C:\Windows\System32\Drivers\ElbyCDIO.sys [2007-02-28 15440]
R1 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2009-12-02 149040]
R1 MpKsla90206f1;MpKsla90206f1; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9F32EEB8-95AD-4731-A8EF-3A25F7360218}\MpKsla90206f1.sys [2010-03-17 28880]
R2 atksgt;atksgt; C:\Windows\system32\DRIVERS\atksgt.sys [2007-12-26 278984]
R2 Hardlock;Hardlock; \??\C:\Windows\system32\drivers\hardlock.sys [2004-11-05 670208]
R2 lirsgt;lirsgt; C:\Windows\system32\DRIVERS\lirsgt.sys [2007-12-26 25416]
R3 HdAudAddService;Ovladač funkce Microsoft 1.1 UAA pro službu zvuku High Definition Audio; C:\Windows\system32\drivers\HdAudio.sys [2009-04-11 236544]
R3 MpNWMon;Microsoft Malware Protection Network Driver; C:\Windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2010-01-12 11586280]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2008-01-31 47360]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2009-12-20 234016]
S3 AnyDVD;AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys []
S3 axitqewx;axitqewx; C:\Windows\system32\drivers\axitqewx.sys []
S3 drmkaud;Dekodér zvuků DRM jádra společnosti Microsoft; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 ElbyCDFL;ElbyCDFL; C:\Windows\System32\Drivers\ElbyCDFL.sys [2005-05-03 27392]
S3 ElbyDelay;ElbyDelay; C:\Windows\System32\Drivers\ElbyDelay.sys [2007-02-16 11984]
S3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2007-11-30 15600]
S3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2008-05-13 25280]
S3 k750bus;Sony Ericsson 750 driver (WDM); C:\Windows\system32\DRIVERS\k750bus.sys [2005-02-11 55216]
S3 MSKSSRV;Server proxy služby datových proudů Microsoft; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Server proxy hodin datových proudů Microsoft; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Server proxy správce kvality datových proudů Microsoft; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Konvertor jímka-jímka typu T datových proudů Microsoft; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 nmwcd;Nokia USB Phone Parent; C:\Windows\system32\drivers\ccdcmb.sys [2009-02-09 17664]
S3 nmwcdc;Nokia USB Generic; C:\Windows\system32\drivers\ccdcmbo.sys [2009-02-09 22016]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\Windows\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 upperdev;upperdev; C:\Windows\system32\DRIVERS\usbser_lowerflt.sys [2009-02-09 7808]
S3 usbscan;Ovladač skeneru USB; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 usbser;USB Modem Driver; C:\Windows\system32\drivers\usbser.sys [2009-04-11 27648]
S3 UsbserFilt;UsbserFilt; C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys [2009-02-09 7808]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-10-01 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2009-12-09 17904]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2010-01-11 129640]
R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2008-11-26 66872]
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007; C:\Program Files\SolidWorks (2)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe [2007-07-23 675840]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-06-02 637952]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-30 183280]
S2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2008-01-28 85096]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-15 655624]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-16 271920]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2008-09-22 79360]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 17:28
od Caroprd111
Zdravím :)

Na logu se pracuje, prosím o strpení.

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 17:32
od Caroprd111
Obrázek Kde přesně vir hlásí :???:


Obrázek Stáhněte a uložte, nejlépe na plochu http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  • Vypněte všechny rezidentní bezpečnostní programy - firewally, antiviry, antispywary
  • Vložte do PC všechny flash disky, které používáte.
  • Spusťte aplikaci pod účtem s oprávněním Administrátora (Správce), ihned po startu se zobrazí stránka s licenčními podmínkami, pokračujte stisknutím tlačítka "Ano"
  • Dále postupujte dle pokynů, během scanu nespouštějte jiné aplikace a neklikejte do zobrazujícího se okna :!:
  • Scan by měl trvat okolo 5 - 10 minut, po dokončení Combofix zobrazí log C:\ComboFix.txt , který sem vložte.
  • Během skenování může být počítač restartován.

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 19:50
od swobi
vir hlásí v: c:\windows\system32\drivers\atapi.sys

ComboFix 10-03-16.05 - Jan Svoboda 17.03.2010 17:51:21.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.2046.1324 [GMT 1:00]
Spuštěný z: c:\users\Jan Svoboda\Jakub\download\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
C:\desktop.ini
C:\install.exe
c:\users\Jan Svoboda\AppData\Roaming\inst.exe
c:\users\Jan Svoboda\AppData\Roaming\Microsoft\Internet Explorer\qiPSearchbar.dll
c:\windows\system32\reboot.txt

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-17 do 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-17 17:02 . 2010-03-17 17:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\temp
2010-03-17 17:02 . 2010-03-17 17:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-17 16:47 . 2010-03-17 16:47 28880 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9F32EEB8-95AD-4731-A8EF-3A25F7360218}\MpKslbd2a423f.sys
2010-03-17 16:08 . 2010-03-17 16:08 -------- d-----w- c:\program files\trend micro
2010-03-17 16:08 . 2010-03-17 16:08 -------- d-----w- C:\rsit
2010-03-17 14:03 . 2010-03-17 14:09 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-03-17 14:02 . 2010-03-17 14:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\Downloaded Installations
2010-03-17 13:44 . 2010-03-17 13:44 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Malwarebytes
2010-03-17 13:44 . 2010-03-17 13:44 -------- d-----w- c:\programdata\Malwarebytes
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\Common Files\PCSuite
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\Common Files\Nokia
2010-03-14 13:49 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\PC Connectivity Solution
2010-03-14 13:47 . 2010-03-14 13:47 34557984 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Nokia_PC_Suite_7_1_30_8_cze_web.exe
2010-03-14 13:47 . 2010-03-14 13:47 95232 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\pcswpcsi.exe
2010-03-14 13:47 . 2010-03-14 13:47 8192 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstCCD.exe
2010-03-14 13:47 . 2010-03-14 13:47 61440 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-03-14 13:47 . 2010-03-14 13:47 10240 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCS.exe
2010-03-12 16:04 . 2010-03-12 16:04 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\Opera
2010-03-12 16:04 . 2010-03-12 16:04 -------- d-----w- c:\program files\Opera
2010-03-12 14:58 . 2010-03-12 14:58 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-12 14:57 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-12 06:21 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 06:21 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 06:21 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-26 14:05 . 2010-03-10 14:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-24 14:33 . 2010-02-24 15:01 -------- d-----w- c:\program files\Venetica
2010-02-16 18:19 . 2010-02-16 18:20 -------- d-----w- c:\program files\QIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 16:44 . 2007-01-08 21:09 606912 ----a-w- c:\windows\system32\perfh005.dat
2010-03-17 16:44 . 2007-01-08 21:09 119398 ----a-w- c:\windows\system32\perfc005.dat
2010-03-17 14:01 . 2009-11-26 15:07 35465 ----a-w- c:\programdata\nvModes.dat
2010-03-16 18:48 . 2009-02-03 18:08 -------- d-----w- c:\programdata\Google Updater
2010-03-14 14:00 . 2010-01-20 15:46 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Nokia
2010-03-14 13:53 . 2010-03-14 13:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-03-14 13:49 . 2010-01-20 15:35 -------- d-----w- c:\program files\Nokia
2010-03-14 13:49 . 2010-01-20 15:36 -------- d-----w- c:\program files\DIFX
2010-03-14 13:47 . 2010-01-20 16:14 -------- d-----w- c:\programdata\Installations
2010-03-12 14:59 . 2007-11-30 14:33 -------- d-----w- c:\programdata\NVIDIA
2010-03-12 13:08 . 2008-09-22 17:39 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\IM
2010-03-12 06:25 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 06:24 . 2009-10-06 12:48 -------- d-----w- c:\programdata\Microsoft Help
2010-03-07 17:27 . 2008-02-04 20:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\DVD Flick
2010-03-05 14:07 . 2008-07-16 07:26 -------- d-----w- c:\program files\Warcraft III
2010-02-26 14:22 . 2008-01-11 17:06 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-26 14:17 . 2008-06-09 14:55 19 ----a-w- c:\users\Jan Svoboda\AppData\Roaming\mdbu.bin
2010-02-26 13:52 . 2007-12-15 10:51 -------- d-----w- c:\program files\CCleaner
2010-02-25 09:21 . 2007-11-30 14:13 120104 ----a-w- c:\users\Jan Svoboda\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 08:57 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-21 13:27 . 2008-03-30 13:23 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Skype
2010-02-21 13:26 . 2008-03-30 13:30 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\skypePM
2010-02-15 17:35 . 2010-02-03 15:39 -------- d-----w- c:\programdata\Nokia
2010-02-15 15:28 . 2008-11-03 15:59 -------- d-----w- c:\program files\Windows Live
2010-02-05 15:47 . 2007-12-25 12:55 -------- d-----w- c:\programdata\Media Center Programs
2010-02-03 16:25 . 2010-02-03 16:25 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Nseries
2010-01-25 12:00 . 2010-02-24 12:38 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 12:38 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 12:38 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 12:38 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 12:38 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 12:38 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 12:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 12:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:21 . 2010-02-24 12:38 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-23 09:26 . 2010-02-24 12:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-22 12:43 . 2009-06-22 17:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 17:14 . 2010-01-20 15:47 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\PC Suite
2010-01-21 17:14 . 2010-01-21 17:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2010-01-21 17:14 . 2010-01-20 15:47 -------- d-----w- c:\programdata\PC Suite
2010-01-21 17:13 . 2010-01-21 17:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-20 15:40 . 2010-01-20 15:40 -------- d-----w- c:\programdata\NokiaMusic
2010-01-11 21:18 . 2010-01-11 21:18 962664 ----a-w- c:\windows\system32\nvsvc.dll
2010-01-11 21:18 . 2010-01-11 21:18 13679720 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-11 21:18 . 2010-01-11 21:18 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-01-11 21:18 . 2010-01-11 21:18 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-06 15:39 . 2010-02-24 12:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-24 12:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-24 12:38 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 12:38 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 12:38 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 12:38 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 13:30 . 2010-02-24 12:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-22 14:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 14:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 14:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 14:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-20 09:53 . 2009-12-20 09:53 234016 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2006-05-03 10:06 . 2009-03-05 15:35 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2009-03-05 15:35 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 13:30 . 2009-03-05 15:35 216064 --sh--r- c:\windows\System32\nbDX.dll
.

------- Sigcheck -------

[-] 2009-04-11 06:32 . FE7F1C6750C0A2BD7597C1CE8C51B236 . 19944 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[7] 2008-02-13 . B35CFCEF838382AB6490B321C87EDF17 . 21560 . . [6.0.6000.16632] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[7] 2008-01-19 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]
"QIP2005"="c:\program files\QIP\qip.exe" [2009-08-13 3276288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 148888]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ea,a1,f0,8d,51,56,ca,01

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-05 721904]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
S1 MpKslbd2a423f;MpKslbd2a423f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9F32EEB8-95AD-4731-A8EF-3A25F7360218}\MpKslbd2a423f.sys [2010-03-17 28880]
S2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;c:\program files\SolidWorks (2)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe [2007-07-23 675840]


--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - MPKSLBD2A423F

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Obsah adresáře 'Naplánované úlohy'

2010-03-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 15:10]

2010-03-16 c:\windows\Tasks\User_Feed_Synchronization-{D3BCFB12-CB3B-472F-9F00-1BB3D1BD21C9}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.idnes.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Settings,ProxyServer = 192.168.1.1:80
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jan Svoboda\AppData\Roaming\Mozilla\Firefox\Profiles\2hrjvwbb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.idnes.cz
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 18:02
Windows 6.0.6002 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8501250C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82f9dd24
\Driver\ACPI -> acpi.sys @ 0x8069bd68
\Driver\atapi -> ataport.SYS @ 0x807aaa2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Celkový čas: 2010-03-17 18:05:28
ComboFix-quarantined-files.txt 2010-03-17 17:05

Před spuštěním: 8 087 769 088
Po spuštění: 8 057 880 576

- - End Of File - - 279F5B9CFAB1297B150DA25CC0D91778

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 20:04
od Caroprd111
Obrázek Pokud nemáte, přesuňte Combofix na plochu
  • Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.

Kód: Vybrat vše

Driver::
MpKslbd2a423f
MpNWMon

File::
c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9F32EEB8-95AD-4731-A8EF-3A25F7360218}\MpKslbd2a423f.sys
c:\windows\system32\DRIVERS\MpNWMon.sys

Restore::
c:\windows\System32\drivers\atapi.sys

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
  • Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
  • Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:

    Obrázek
  • Po aplikaci na Vás vypadne další log,vložte ho sem
Může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 21:00
od swobi
udelal jsem vse podle navodu, ale bohuzel jsem se musel vratit k posledni funkcni kombinaci, ptz pocitat nebyl schopen zapnout zadnou aplikaci a hlasil chybu neco s registry myslim..

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 21:01
od swobi
tim padem vir a potazmo problem stale pretrvava..

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 21:03
od Caroprd111
Podívejte se na disk C:, zda tam není log z ComboFixu.

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 21:16
od swobi
ComboFix 10-03-16.05 - Jan Svoboda 17.03.2010 20:14:41.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.2046.1068 [GMT 1:00]
Spuštěný z: c:\users\Jan Svoboda\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\Jan Svoboda\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Vytvořen nový Bod Obnovení

FILE ::
"c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9F32EEB8-95AD-4731-A8EF-3A25F7360218}\MpKslbd2a423f.sys"
"c:\windows\system32\DRIVERS\MpNWMon.sys"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\DRIVERS\MpNWMon.sys

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MPKSLBD2A423F
-------\Legacy_MPNWMON
-------\Service_MpKslbd2a423f
-------\Service_MpNWMon


((((((((((((((((((((((((( Soubory vytvořené od 2010-02-17 do 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-17 19:21 . 2010-03-17 19:25 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\temp
2010-03-17 19:21 . 2010-03-17 19:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-17 16:08 . 2010-03-17 16:08 -------- d-----w- c:\program files\trend micro
2010-03-17 16:08 . 2010-03-17 16:08 -------- d-----w- C:\rsit
2010-03-17 14:03 . 2010-03-17 14:09 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-03-17 14:02 . 2010-03-17 14:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\Downloaded Installations
2010-03-17 13:44 . 2010-03-17 13:44 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Malwarebytes
2010-03-17 13:44 . 2010-03-17 13:44 -------- d-----w- c:\programdata\Malwarebytes
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\Common Files\PCSuite
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\Common Files\Nokia
2010-03-14 13:49 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\PC Connectivity Solution
2010-03-12 16:04 . 2010-03-12 16:04 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\Opera
2010-03-12 16:04 . 2010-03-12 16:04 -------- d-----w- c:\program files\Opera
2010-03-12 14:58 . 2010-03-12 14:58 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-12 14:57 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-12 06:21 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 06:21 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 06:21 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-26 14:05 . 2010-03-10 14:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-24 14:33 . 2010-02-24 15:01 -------- d-----w- c:\program files\Venetica
2010-02-16 18:19 . 2010-02-16 18:20 -------- d-----w- c:\program files\QIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 19:25 . 2009-11-26 15:07 35465 ----a-w- c:\programdata\nvModes.dat
2010-03-17 16:44 . 2007-01-08 21:09 606912 ----a-w- c:\windows\system32\perfh005.dat
2010-03-17 16:44 . 2007-01-08 21:09 119398 ----a-w- c:\windows\system32\perfc005.dat
2010-03-16 18:48 . 2009-02-03 18:08 -------- d-----w- c:\programdata\Google Updater
2010-03-14 14:00 . 2010-01-20 15:46 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Nokia
2010-03-14 13:53 . 2010-03-14 13:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-03-14 13:49 . 2010-01-20 15:35 -------- d-----w- c:\program files\Nokia
2010-03-14 13:49 . 2010-01-20 15:36 -------- d-----w- c:\program files\DIFX
2010-03-14 13:47 . 2010-01-20 16:14 -------- d-----w- c:\programdata\Installations
2010-03-14 13:47 . 2010-03-14 13:47 95232 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\pcswpcsi.exe
2010-03-14 13:47 . 2010-03-14 13:47 8192 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstCCD.exe
2010-03-14 13:47 . 2010-03-14 13:47 61440 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-03-14 13:47 . 2010-03-14 13:47 10240 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCS.exe
2010-03-14 13:47 . 2010-03-14 13:47 34557984 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Nokia_PC_Suite_7_1_30_8_cze_web.exe
2010-03-12 14:59 . 2007-11-30 14:33 -------- d-----w- c:\programdata\NVIDIA
2010-03-12 13:08 . 2008-09-22 17:39 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\IM
2010-03-12 06:25 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 06:24 . 2009-10-06 12:48 -------- d-----w- c:\programdata\Microsoft Help
2010-03-07 17:27 . 2008-02-04 20:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\DVD Flick
2010-03-05 14:07 . 2008-07-16 07:26 -------- d-----w- c:\program files\Warcraft III
2010-02-26 14:22 . 2008-01-11 17:06 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-26 14:17 . 2008-06-09 14:55 19 ----a-w- c:\users\Jan Svoboda\AppData\Roaming\mdbu.bin
2010-02-26 13:52 . 2007-12-15 10:51 -------- d-----w- c:\program files\CCleaner
2010-02-25 09:21 . 2007-11-30 14:13 120104 ----a-w- c:\users\Jan Svoboda\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 08:57 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-21 13:27 . 2008-03-30 13:23 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Skype
2010-02-21 13:26 . 2008-03-30 13:30 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\skypePM
2010-02-15 17:35 . 2010-02-03 15:39 -------- d-----w- c:\programdata\Nokia
2010-02-15 15:28 . 2008-11-03 15:59 -------- d-----w- c:\program files\Windows Live
2010-02-05 15:47 . 2007-12-25 12:55 -------- d-----w- c:\programdata\Media Center Programs
2010-02-03 16:25 . 2010-02-03 16:25 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Nseries
2010-01-25 12:00 . 2010-02-24 12:38 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 12:38 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 12:38 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 12:38 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 12:38 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 12:38 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 12:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 12:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:21 . 2010-02-24 12:38 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-23 09:26 . 2010-02-24 12:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-22 12:43 . 2009-06-22 17:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 17:14 . 2010-01-20 15:47 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\PC Suite
2010-01-21 17:14 . 2010-01-21 17:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2010-01-21 17:14 . 2010-01-20 15:47 -------- d-----w- c:\programdata\PC Suite
2010-01-21 17:13 . 2010-01-21 17:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-20 15:40 . 2010-01-20 15:40 -------- d-----w- c:\programdata\NokiaMusic
2010-01-11 21:18 . 2010-01-11 21:18 962664 ----a-w- c:\windows\system32\nvsvc.dll
2010-01-11 21:18 . 2010-01-11 21:18 13679720 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-11 21:18 . 2010-01-11 21:18 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-01-11 21:18 . 2010-01-11 21:18 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-06 15:39 . 2010-02-24 12:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-24 12:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-24 12:38 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 12:38 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 12:38 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 12:38 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 13:30 . 2010-02-24 12:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-22 14:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 14:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 14:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 14:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-20 09:53 . 2009-12-20 09:53 234016 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2006-05-03 10:06 . 2009-03-05 15:35 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2009-03-05 15:35 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 13:30 . 2009-03-05 15:35 216064 --sh--r- c:\windows\System32\nbDX.dll
.

------- Sigcheck -------

[-] 2009-04-11 06:32 . A112A53B1EEA8FD4A06B4D81494E5FB6 . 19944 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[7] 2008-02-13 . B35CFCEF838382AB6490B321C87EDF17 . 21560 . . [6.0.6000.16632] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[7] 2008-01-19 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 148888]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ea,a1,f0,8d,51,56,ca,01

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-05 721904]
S2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;c:\program files\SolidWorks (2)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe [2007-07-23 675840]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Obsah adresáře 'Naplánované úlohy'

2010-03-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 15:10]

2010-03-16 c:\windows\Tasks\User_Feed_Synchronization-{D3BCFB12-CB3B-472F-9F00-1BB3D1BD21C9}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.idnes.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Settings,ProxyServer = 192.168.1.1:80
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jan Svoboda\AppData\Roaming\Mozilla\Firefox\Profiles\2hrjvwbb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.idnes.cz
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 20:25
Windows 6.0.6002 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x852E550C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x883a2d24
\Driver\ACPI -> acpi.sys @ 0x805bfd68
\Driver\atapi -> 0x852231f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'Explorer.exe'(3444)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\conime.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Celkový čas: 2010-03-17 20:35:06 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-17 19:34
ComboFix2.txt 2010-03-17 17:05

Před spuštěním: 8 088 653 824
Po spuštění: 7 827 656 704

- - End Of File - - 32EAE4F804E4954D74641539F2F88297

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 21:22
od Caroprd111
Obrázek Pokud nemáte, přesuňte Combofix na plochu
  • Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.

Kód: Vybrat vše

FCopy::
c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys | c:\windows\System32\drivers\atapi.sys
  • Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
  • Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:

    Obrázek
  • Po aplikaci na Vás vypadne další log,vložte ho sem
Může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 22:05
od swobi
zase stejny problem navrat k redchozi funkcni kombinaci kvuli chybe : pokus použití neplatnou operaci na klíč registru, který je označen pro odstranění.

ComboFix 10-03-16.05 - Jan Svoboda 17.03.2010 21:32:39.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.2046.1306 [GMT 1:00]
Spuštěný z: c:\users\Jan Svoboda\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\Jan Svoboda\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-02-17 do 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-17 20:40 . 2010-03-17 20:44 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\temp
2010-03-17 20:40 . 2010-03-17 20:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-17 20:40 . 2010-03-17 20:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-17 16:08 . 2010-03-17 16:08 -------- d-----w- c:\program files\trend micro
2010-03-17 16:08 . 2010-03-17 16:08 -------- d-----w- C:\rsit
2010-03-17 14:03 . 2010-03-17 14:09 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-03-17 14:02 . 2010-03-17 14:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\Downloaded Installations
2010-03-17 13:44 . 2010-03-17 13:44 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Malwarebytes
2010-03-17 13:44 . 2010-03-17 13:44 -------- d-----w- c:\programdata\Malwarebytes
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\Common Files\PCSuite
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\Common Files\Nokia
2010-03-14 13:49 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\PC Connectivity Solution
2010-03-12 16:04 . 2010-03-12 16:04 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\Opera
2010-03-12 16:04 . 2010-03-12 16:04 -------- d-----w- c:\program files\Opera
2010-03-12 14:58 . 2010-03-12 14:58 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-12 14:57 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-12 06:21 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 06:21 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 06:21 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-26 14:05 . 2010-03-10 14:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-24 14:33 . 2010-02-24 15:01 -------- d-----w- c:\program files\Venetica
2010-02-16 18:19 . 2010-02-16 18:20 -------- d-----w- c:\program files\QIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 20:44 . 2009-11-26 15:07 35465 ----a-w- c:\programdata\nvModes.dat
2010-03-17 19:54 . 2009-02-03 18:08 -------- d-----w- c:\programdata\Google Updater
2010-03-17 16:44 . 2007-01-08 21:09 606912 ----a-w- c:\windows\system32\perfh005.dat
2010-03-17 16:44 . 2007-01-08 21:09 119398 ----a-w- c:\windows\system32\perfc005.dat
2010-03-14 14:00 . 2010-01-20 15:46 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Nokia
2010-03-14 13:53 . 2010-03-14 13:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-03-14 13:49 . 2010-01-20 15:35 -------- d-----w- c:\program files\Nokia
2010-03-14 13:49 . 2010-01-20 15:36 -------- d-----w- c:\program files\DIFX
2010-03-14 13:47 . 2010-01-20 16:14 -------- d-----w- c:\programdata\Installations
2010-03-12 14:59 . 2007-11-30 14:33 -------- d-----w- c:\programdata\NVIDIA
2010-03-12 13:08 . 2008-09-22 17:39 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\IM
2010-03-12 06:25 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 06:24 . 2009-10-06 12:48 -------- d-----w- c:\programdata\Microsoft Help
2010-03-07 17:27 . 2008-02-04 20:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\DVD Flick
2010-03-05 14:07 . 2008-07-16 07:26 -------- d-----w- c:\program files\Warcraft III
2010-02-26 14:22 . 2008-01-11 17:06 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-26 14:17 . 2008-06-09 14:55 19 ----a-w- c:\users\Jan Svoboda\AppData\Roaming\mdbu.bin
2010-02-26 13:52 . 2007-12-15 10:51 -------- d-----w- c:\program files\CCleaner
2010-02-25 09:21 . 2007-11-30 14:13 120104 ----a-w- c:\users\Jan Svoboda\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 08:57 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-21 13:27 . 2008-03-30 13:23 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Skype
2010-02-21 13:26 . 2008-03-30 13:30 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\skypePM
2010-02-15 17:35 . 2010-02-03 15:39 -------- d-----w- c:\programdata\Nokia
2010-02-15 15:28 . 2008-11-03 15:59 -------- d-----w- c:\program files\Windows Live
2010-02-05 15:47 . 2007-12-25 12:55 -------- d-----w- c:\programdata\Media Center Programs
2010-02-03 16:25 . 2010-02-03 16:25 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Nseries
2010-01-25 12:00 . 2010-02-24 12:38 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 12:38 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 12:38 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 12:38 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 12:38 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 12:38 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 12:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 12:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:21 . 2010-02-24 12:38 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-23 09:26 . 2010-02-24 12:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-22 12:43 . 2009-06-22 17:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 17:14 . 2010-01-20 15:47 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\PC Suite
2010-01-21 17:14 . 2010-01-21 17:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2010-01-21 17:14 . 2010-01-20 15:47 -------- d-----w- c:\programdata\PC Suite
2010-01-21 17:13 . 2010-01-21 17:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-20 15:40 . 2010-01-20 15:40 -------- d-----w- c:\programdata\NokiaMusic
2010-01-11 21:18 . 2010-01-11 21:18 962664 ----a-w- c:\windows\system32\nvsvc.dll
2010-01-11 21:18 . 2010-01-11 21:18 13679720 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-11 21:18 . 2010-01-11 21:18 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-01-11 21:18 . 2010-01-11 21:18 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-06 15:39 . 2010-02-24 12:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-24 12:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 13:30 . 2010-02-24 12:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-22 14:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 14:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 14:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 14:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-20 09:53 . 2009-12-20 09:53 234016 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2006-05-03 10:06 . 2009-03-05 15:35 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2009-03-05 15:35 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 13:30 . 2009-03-05 15:35 216064 --sh--r- c:\windows\System32\nbDX.dll
.

------- Sigcheck -------

[-] 2009-04-11 06:32 . A112A53B1EEA8FD4A06B4D81494E5FB6 . 19944 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[7] 2008-02-13 . B35CFCEF838382AB6490B321C87EDF17 . 21560 . . [6.0.6000.16632] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[7] 2008-01-19 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 148888]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ea,a1,f0,8d,51,56,ca,01

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-05 721904]
S2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;c:\program files\SolidWorks (2)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe [2007-07-23 675840]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Obsah adresáře 'Naplánované úlohy'

2010-03-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 15:10]

2010-03-17 c:\windows\Tasks\User_Feed_Synchronization-{D3BCFB12-CB3B-472F-9F00-1BB3D1BD21C9}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.idnes.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Settings,ProxyServer = 192.168.1.1:80
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jan Svoboda\AppData\Roaming\Mozilla\Firefox\Profiles\2hrjvwbb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.idnes.cz
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 21:44
Windows 6.0.6002 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8530650C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8839ed24
\Driver\ACPI -> acpi.sys @ 0x8260fd68
\Driver\atapi -> 0x852231f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'Explorer.exe'(880)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\conime.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Celkový čas: 2010-03-17 21:55:07 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-17 20:55
ComboFix2.txt 2010-03-17 19:35
ComboFix3.txt 2010-03-17 17:05

Před spuštěním: 7 851 003 904
Po spuštění: 7 812 173 824

- - End Of File - - 77E39A01709A800BEA611B81F5F616D6

Re: vir Alureon.B nelze odstranit

Napsal: 17 bře 2010 22:10
od Caroprd111
Obrázek Odinstalujte všechny emulátory virtuálních mechanik.

Obrázek Stáhněte SPTD http://www.duplexsecure.com/en/downloads
  • Vyberte verzi podle svého operačního systému (64 & 32b). Uložte na plochu a spusťte.
  • zvolte možnost Uninstall a restartujte PC.

Obrázek Stáhněte a spusťte http://www.jpshortstuff.247fixes.com/Defogger.exe
  • Klikněte na "Disable" a restartujte PC.

Obrázek Stáhněte MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Obrázek Start > Spustit (Win + R)
  • Vyskočí okénko, zkopírujte do něj:

Kód: Vybrat vše

"%userprofile%\plocha\mbr" -t
  • Klikněte na OK
  • Vytvoří se log s názvem mbr.log, vložte ho sem.


Obrázek Dejte log z Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878

Re: vir Alureon.B nelze odstranit

Napsal: 18 bře 2010 16:45
od swobi
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: error reading MBR
--------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-18 16:11:08
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\JANSVO~1\AppData\Local\Temp\fxryykod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Společnost Microsoft)

Device \Driver\00000695 -> \Driver\atapi \Device\Harddisk0\DR0 8546F50C

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
---------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-18 16:42:52
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\JANSVO~1\AppData\Local\Temp\fxryykod.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x8079D02C]
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xA0256300, 0x3AE88, 0xE8000020]
.text C:\Windows\system32\drivers\hardlock.sys section is writeable [0xA0299400, 0x7A186, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA0337A20] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA0337A20]
.protect˙˙˙˙hardlockunknown last code section [0xA0337800, 0x5041, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0xA0337800, 0x5041, 0xE0000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA033D300, 0x1B7E, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [745E7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7463A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [745EBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [745DF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [745E75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745DE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74618395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [745EDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745DFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745DFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [745D71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7466CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7460C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [745DD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [745D6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [745D687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1276] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [745E2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Společnost Microsoft)

Device \Driver\00000695 -> \Driver\atapi \Device\Harddisk0\DR0 8546F50C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7A 0x45 0xAE 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7A 0x45 0xAE 0x0D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x39 0xF4 0xCC 0x98 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x75 0x28 0x66 0x1F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xCE 0xF6 0x3D 0x68 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x2C 0x59 0x24 0x1E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x94 0x87 0x21 0x6A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43@ujdew 0x94 0x87 0x21 0x6A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg44 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg44@ujdew 0x94 0x87 0x21 0x6A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg45 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg45@ujdew 0x94 0x87 0x21 0x6A ...
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@SIGN=1C81D0 Do GTAIV Nutné\NUTNÉ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\xa7\7z.exe 1

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Re: vir Alureon.B nelze odstranit

Napsal: 18 bře 2010 18:41
od Caroprd111
Máte instalační CD Vaší verze Windows :???:

Re: vir Alureon.B nelze odstranit

Napsal: 18 bře 2010 18:52
od swobi
ano
Všechny časy jsou v UTC+01:00
Stránka 1 z 3

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz