Opet Virus protector

Frutigo · Příspěvekod **Frutigo** » 14 bře 2010 10:48

ComboFix 10-03-13.03 - Frutigo 14.03.2010 10:36:22.1.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.511.228 [GMT 1:00]
Spuštěný z: c:\documents and settings\Frutigo\Plocha\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycled\com4
c:\windows\system32\1745857236.dat
c:\windows\system32\ieuinit.inf
c:\windows\System32\ws2_32r.exe

c:\windows\system32\qmgr.dll . . . je infikován!!

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_APPMGMTUPS
-------\Service_AppMgmtUPS

((((((((((((((((((((((((( Soubory vytvořené od 2010-02-14 do 2010-03-14 )))))))))))))))))))))))))))))))
.

2010-03-13 19:11 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-13 19:11 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-13 19:11 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-13 19:11 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-13 19:11 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-13 19:11 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-13 19:10 . 2010-03-09 11:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-13 19:10 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-13 18:56 . 2010-03-13 18:56 -------- d-----w- c:\program files\XP TCPIP Repair
2010-03-13 09:19 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 09:18 . 2010-03-13 09:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 09:18 . 2010-01-07 15:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 20:03 . 2010-03-12 20:03 -------- d-----w- c:\program files\Alwil Software
2010-03-12 18:50 . 2010-03-12 18:50 -------- d-----w- C:\FOUND.005
2010-03-12 18:45 . 2010-03-12 18:45 -------- d-----w- C:\FOUND.004
2010-03-12 06:25 . 2010-03-12 06:25 1463808 ----a-w- c:\windows\system32\aMLkvhrxw.dll
2010-03-12 06:25 . 2010-03-12 06:25 1463808 ----a-w- c:\windows\system32\a79oCE.exe
2010-02-27 14:21 . 2010-02-27 14:21 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 11:58 . 2010-01-30 11:58 18944 ----a-w- c:\windows\system32\vbCPUInf.dll
2010-01-18 15:14 . 2001-10-25 13:00 73236 ----a-w- c:\windows\system32\perfc005.dat
2010-01-18 15:14 . 2001-10-25 13:00 398472 ----a-w- c:\windows\system32\perfh005.dat
2010-01-18 15:10 . 2010-01-18 15:09 -------- d-----w- c:\program files\MzRam
2010-01-18 15:06 . 2010-01-18 15:06 -------- d-----w- c:\program files\CM Data Software
2010-01-18 15:06 . 2008-12-09 19:38 737280 ----a-w- c:\windows\iun6002.exe
2009-05-03 19:24 . 2009-05-03 19:24 33 ----a-w- c:\program files\Common Files\LanTingSys.txt
2006-10-11 08:04 . 2009-01-11 15:17 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:05 . 2009-01-11 15:17 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2009-01-11 15:17 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2009-01-11 15:17 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2009-01-11 15:17 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-11 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Startup Cleaner"="c:\program files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe" [2006-10-08 122880]
"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2009-07-29 1024512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-09 155648]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2005-09-06 450560]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-20 13312]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
SecureDoc.lnk - c:\program files\MSI\SecureDoc\Logon.exe [2008-12-9 82944]
PC Alert 4.lnk - c:\program files\MSI\PC Alert 4\PCAlert4.exe [2008-12-9 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\System32\logonui.exe"

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [23.12.2008 18:36 642560]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [13.3.2010 20:11 162640]
R1 TRIXX;TRIXX;c:\program files\TRIXX\TRIXXDriver.sys [16.8.2005 12:17 15360]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;d:\program files\Firebird\Firebird_2_0\bin\fbguard.exe -s --> d:\program files\Firebird\Firebird_2_0\bin\fbguard.exe -s [?]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [10.12.2008 16:27 222456]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [21.5.2004 1:30 114944]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;d:\program files\Firebird\Firebird_2_0\bin\fbserver.exe -s --> d:\program files\Firebird\Firebird_2_0\bin\fbserver.exe -s [?]
R3 PCAlertDriver;PCAlertDriver;c:\program files\MSI\PC Alert 4\NTGLM7X.SYS [9.12.2008 20:07 22432]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Frutigo\LOCALS~1\Temp\FJK12BE.tmp --> c:\docume~1\Frutigo\LOCALS~1\Temp\FJK12BE.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2.8.2005 22:10 32512]

--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
*NewlyCreated* - PCALERTDRIVER
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: Download with &Shareaza - d:\program files\Morpheus Music\Plugins\RazaWebHook.dll/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Frutigo\Data aplikací\Mozilla\Firefox\Profiles\nwe5paog.default\
FF - prefs.js: browser.startup.homepage - seznam.cz
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B922D405-6D13-4A2B-AE89-08A030DA4402}\components\pdfforgeToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 10:44
Windows 5.1.2600 Service Pack 1 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x82FA3EB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x82fa3eb0
\Driver\ACPI -> ACPI.sys @ 0xf8567740
\Driver\atapi -> atapi.sys @ 0xf8512510
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x80559f4b
ParseProcedure -> ntoskrnl.exe @ 0x805829d5
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x80559f4b
ParseProcedure -> ntoskrnl.exe @ 0x805829d5
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf84a8d84
PacketIndicateHandler -> NDIS.sys @ 0xf84b5480
SendHandler -> NDIS.sys @ 0xf8496933
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Frutigo\LOCALS~1\Temp\FJK12BE.tmp"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\System32\ODBC32.dll
c:\windows\System32\ginamsi.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(876)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(2620)
c:\windows\System32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
d:\program files\Firebird\Firebird_2_0\bin\fbguard.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ssoftsrv.exe
c:\windows\System32\taskmgr.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
d:\program files\Firebird\Firebird_2_0\bin\fbserver.exe
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2010-03-14 10:47:21 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-14 09:47

Před spuštěním: 4 923 080 704
Po spuštění: 5 315 690 496

winxpsp1_cs_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - DFA9A8CA5F89B9150701DDBFC52CA22A

Reklama

Příspěvekod **jaro3** » 14 bře 2010 14:00

Odinstaluj:
pdfforge Toolbar (pokud tam je)

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

KillAll::
FCopy::
C:\WINDOWS\ServicePackFiles\i386\qmgr.dll | c:\windows\ system32\qmgr.dll

File::
c:\windows\system32\aMLkvhrxw.dll
c:\windows\system32\a79oCE.exe
c:\windows\iun6002.exe
c:\program files\pdfforge Toolbar\SearchSettings.exe
c:\docume~1\Frutigo\LOCALS~1\Temp\FJK12BE.tmp

Folder::
C:\FOUND.005
C:\FOUND.004
c:\program files\pdfforge Toolbar

Driver::
GarenaPEngine

DirLook::
c:\windows\system32\Adobe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-
"SearchSettings"=-
"QuickTime Task"=-
"NeroFilterCheck"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

V možnostech složky si povol zobrazování skrytých souborů a složek+ odškrtni zatržítko skrýt chráněné soubory operačního systému

Toto otestuj na Virustotal
c:\program files\Common Files\LanTingSys.txt
Pokud už byl soubor testován-klikni na otestovat znovu.

Vlož sem pak odkaz na stránku s výsledky.

Přeinstaluj si Firebird. (Firebird_2_0)

Frutigo · Příspěvekod **Frutigo** » 14 bře 2010 16:15

ComboFix 10-03-13.03 - Frutigo 14.03.2010 16:03:19.2.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.511.312 [GMT 1:00]
Spuštěný z: c:\documents and settings\Frutigo\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Frutigo\Plocha\CFScript.txt

FILE ::
"c:\docume~1\Frutigo\LOCALS~1\Temp\FJK12BE.tmp"
"c:\program files\pdfforge Toolbar\SearchSettings.exe"
"c:\windows\iun6002.exe"
"c:\windows\system32\a79oCE.exe"
"c:\windows\system32\aMLkvhrxw.dll"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.004
c:\found.004\FILE0000.CHK
c:\found.004\FILE0001.CHK
c:\found.004\FILE0002.CHK
c:\found.004\FILE0003.CHK
c:\found.004\FILE0004.CHK
c:\found.004\FILE0005.CHK
c:\found.004\FILE0006.CHK
c:\found.004\FILE0007.CHK
c:\found.004\FILE0008.CHK
c:\found.004\FILE0009.CHK
C:\FOUND.005
c:\found.005\FILE0000.CHK
c:\found.005\FILE0001.CHK
c:\found.005\FILE0002.CHK
c:\found.005\FILE0003.CHK
c:\found.005\FILE0004.CHK
c:\found.005\FILE0005.CHK
c:\found.005\FILE0006.CHK
c:\found.005\FILE0007.CHK
c:\found.005\FILE0008.CHK
c:\found.005\FILE0009.CHK
c:\windows\iun6002.exe
c:\windows\system32\a79oCE.exe

c:\windows\system32\qmgr.dll . . . je infikován!!

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GARENAPENGINE

((((((((((((((((((((((((( Soubory vytvořené od 2010-02-14 do 2010-03-14 )))))))))))))))))))))))))))))))
.

2010-03-14 09:58 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-14 09:58 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-14 09:58 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-14 09:58 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-14 09:58 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-14 09:58 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-14 09:58 . 2010-03-09 11:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-14 09:58 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-13 18:56 . 2010-03-13 18:56 -------- d-----w- c:\program files\XP TCPIP Repair
2010-03-13 09:19 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 09:18 . 2010-03-13 09:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 09:18 . 2010-01-07 15:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 20:03 . 2010-03-12 20:03 -------- d-----w- c:\program files\Alwil Software
2010-02-27 14:21 . 2010-02-27 14:21 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 09:55 . 2001-10-25 13:00 73236 ----a-w- c:\windows\system32\perfc005.dat
2010-03-14 09:55 . 2001-10-25 13:00 398472 ----a-w- c:\windows\system32\perfh005.dat
2010-01-30 11:58 . 2010-01-30 11:58 18944 ----a-w- c:\windows\system32\vbCPUInf.dll
2010-01-18 15:10 . 2010-01-18 15:09 -------- d-----w- c:\program files\MzRam
2010-01-18 15:06 . 2010-01-18 15:06 -------- d-----w- c:\program files\CM Data Software
2009-05-03 19:24 . 2009-05-03 19:24 33 ----a-w- c:\program files\Common Files\LanTingSys.txt
2006-10-11 08:04 . 2009-01-11 15:17 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:05 . 2009-01-11 15:17 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2009-01-11 15:17 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2009-01-11 15:17 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2009-01-11 15:17 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\Adobe ----

2010-02-27 14:21 . 2010-02-27 14:21 87716 ----a-w- c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
2010-01-18 07:25 . 2010-01-18 07:25 65816 ----a-w- c:\windows\system32\Adobe\Director\SWDNLD.EXE
2010-01-18 07:24 . 2010-01-18 07:24 213272 ----a-w- c:\windows\system32\Adobe\Director\SwDir.dll
2010-01-18 07:23 . 2010-01-18 07:23 459032 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1156606.exe
2010-01-18 07:13 . 2010-01-18 07:13 32256 ----a-w- c:\windows\system32\Adobe\Shockwave 11\Xtras\INetURL.x32
2010-01-18 07:12 . 2010-01-18 07:12 446464 ----a-w- c:\windows\system32\Adobe\Shockwave 11\Proj.dll
2010-01-18 07:12 . 2010-01-18 07:12 9216 ----a-w- c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
2010-01-18 07:12 . 2010-01-18 07:12 135168 ----a-w- c:\windows\system32\Adobe\Director\np32dsw.dll
2010-01-18 07:11 . 2010-01-18 07:11 372736 ----a-w- c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
2010-01-18 07:11 . 2010-01-18 07:11 39936 ----a-w- c:\windows\system32\Adobe\Shockwave 11\Xtras\Netlingo.x32
2010-01-18 07:11 . 2010-01-18 07:11 147456 ----a-w- c:\windows\system32\Adobe\Shockwave 11\Xtras\Netfile.x32
2010-01-18 07:10 . 2010-01-18 07:10 12800 ----a-w- c:\windows\system32\Adobe\Shockwave 11\Xtras\CBrowser.x32
2010-01-18 07:10 . 2010-01-18 07:10 114688 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
2010-01-18 07:10 . 2010-01-18 07:10 94208 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
2010-01-18 07:10 . 2010-01-18 07:10 503808 ----a-w- c:\windows\system32\Adobe\Shockwave 11\Control.dll
2010-01-18 07:05 . 2010-01-18 07:05 37376 ----a-w- c:\windows\system32\Adobe\Shockwave 11\Xtras\Speech.x32
2010-01-18 07:04 . 2010-01-18 07:04 167936 ----a-w- c:\windows\system32\Adobe\Shockwave 11\Xtras\Multiusr.x32
2010-01-18 06:48 . 2010-01-18 06:48 1798144 ----a-w- c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
2010-01-18 06:44 . 2010-01-18 06:44 1011712 ----a-w- c:\windows\system32\Adobe\Shockwave 11\iml32.dll
2010-01-18 06:38 . 2010-01-18 06:38 1975408 ----a-w- c:\windows\system32\Adobe\Shockwave 11\gt.exe
2010-01-18 06:38 . 2010-01-18 06:38 136568 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
2010-01-18 06:38 . 2010-01-18 06:38 742912 ----a-w- c:\windows\system32\Adobe\Shockwave 11\gi.dll
2010-01-18 06:38 . 2010-01-18 06:38 79488 ----a-w- c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
2010-01-18 06:35 . 2010-01-18 06:35 15412 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwLogo.bmp
2010-01-18 06:30 . 2010-01-18 06:30 12532 ----a-w- c:\windows\system32\Adobe\Shockwave 11\shockwave_Projector_Loader.dcr
2010-01-18 06:30 . 2010-01-18 06:30 3675 ----a-w- c:\windows\system32\Adobe\Shockwave 11\Xtras\autodownload.txt
2010-01-18 06:30 . 2010-01-18 06:30 330 ----a-w- c:\windows\system32\Adobe\Director\M5drvr32.exe
2010-01-18 06:30 . 2010-01-18 06:30 330 ----a-w- c:\windows\system32\Adobe\Director\M5if32.dll

((((((((((((((((((((((((((((( SnapShot@2010-03-14_09.41.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
- 2001-10-25 13:00 . 2010-01-18 15:14 62344 c:\windows\system32\perfc009.dat
+ 2001-10-25 13:00 . 2010-03-14 09:55 62344 c:\windows\system32\perfc009.dat
+ 2009-07-11 23:02 . 2009-07-11 23:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2001-10-25 13:00 . 2010-03-14 09:55 401064 c:\windows\system32\perfh009.dat
- 2001-10-25 13:00 . 2010-01-18 15:14 401064 c:\windows\system32\perfh009.dat
+ 2010-03-13 19:06 . 2010-03-14 09:52 262144 c:\windows\system32\config\systemprofile\NtUser.dat
- 2010-03-13 19:06 . 2010-03-14 09:29 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2010-03-14 09:58 . 2010-03-14 09:58 219648 c:\windows\Installer\3b898.msi
+ 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-11 185872]
"Startup Cleaner"="c:\program files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe" [2006-10-08 122880]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2005-09-06 450560]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 61440]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-20 13312]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
SecureDoc.lnk - c:\program files\MSI\SecureDoc\Logon.exe [2008-12-9 82944]
PC Alert 4.lnk - c:\program files\MSI\PC Alert 4\PCAlert4.exe [2008-12-9 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\System32\logonui.exe"

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [23.12.2008 18:36 642560]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [14.3.2010 10:58 162640]
R1 TRIXX;TRIXX;c:\program files\TRIXX\TRIXXDriver.sys [16.8.2005 12:17 15360]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;d:\program files\Firebird\Firebird_2_0\bin\fbguard.exe -s --> d:\program files\Firebird\Firebird_2_0\bin\fbguard.exe -s [?]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [10.12.2008 16:27 222456]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [21.5.2004 1:30 114944]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;d:\program files\Firebird\Firebird_2_0\bin\fbserver.exe -s --> d:\program files\Firebird\Firebird_2_0\bin\fbserver.exe -s [?]
R3 PCAlertDriver;PCAlertDriver;c:\program files\MSI\PC Alert 4\NTGLM7X.SYS [9.12.2008 20:07 22432]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2.8.2005 22:10 32512]

--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - PCALERTDRIVER
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: Download with &Shareaza - d:\program files\Morpheus Music\Plugins\RazaWebHook.dll/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Frutigo\Data aplikací\Mozilla\Firefox\Profiles\nwe5paog.default\
FF - prefs.js: browser.startup.homepage - seznam.cz
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-CM_DiskCleaner - c:\windows\iun6002.exe
AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
AddRemove-HijackThis - G:\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 16:11
Windows 5.1.2600 Service Pack 1 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x82FA3EB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x82fa3eb0
\Driver\ACPI -> ACPI.sys @ 0xf8567740
\Driver\atapi -> atapi.sys @ 0xf8512510
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x80559f4b
ParseProcedure -> ntoskrnl.exe @ 0x805829d5
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x80559f4b
ParseProcedure -> ntoskrnl.exe @ 0x805829d5
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf84a8d84
PacketIndicateHandler -> NDIS.sys @ 0xf84b5480
SendHandler -> NDIS.sys @ 0xf8496933
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\System32\ODBC32.dll
c:\windows\System32\ginamsi.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(876)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(380)
c:\windows\System32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
d:\program files\Firebird\Firebird_2_0\bin\fbguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\windows\system32\ssoftsrv.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
d:\program files\Firebird\Firebird_2_0\bin\fbserver.exe
.
**************************************************************************
.
Celkový čas: 2010-03-14 16:14:05 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-14 15:14
ComboFix2.txt 2010-03-14 09:47

Před spuštěním: 4 911 185 920
Po spuštění: 4 875 747 328

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 798F3C9D2ECBED0D410DA01046D73A2A

Frutigo · Příspěvekod **Frutigo** » 14 bře 2010 16:18

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:16:58, on 14.3.2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Firebird\Firebird_2_0\bin\fbguard.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MSI\SecureDoc\Logon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\Firebird\Firebird_2_0\bin\fbserver.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Frutigo\Plocha\help\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - d:\Program Files\Morpheus Music\Plugins\RazaWebHook.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Startup Cleaner] C:\Program Files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Hlavní panel ATI CATALYST.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with &Shareaza - res://d:\Program Files\Morpheus Music\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - D:\Program Files\Firebird\Firebird_2_0\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - D:\Program Files\Firebird\Firebird_2_0\bin\fbserver.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe

--
End of file - 6775 bytes

Frutigo · Příspěvekod **Frutigo** » 14 bře 2010 16:22

http://www.virustotal.com/analisis/f8b0 ... 1268579964

Frutigo · Příspěvekod **Frutigo** » 14 bře 2010 16:26

prosimte s tim firebird mam stahnout kde? (nemam potuchy co je to zač)

Příspěvekod **jaro3** » 14 bře 2010 16:28

Start-spustit-napiš: notepad ,do něho vlož tento celý text:

Kód: Vybrat vše

dir \qmgr.dll /a h /s > File.txt

uložit na plochu s názvem: find.bat (typ souboru- všechny soubory)
Najdi ho na ploše, poklepej na něj a počkej až se okno zavře a objeví se soubor.txt
Vlož sem potom celý text z tohoto souboru.

firebird--tak ho odinstaluj v přidat/odebrat programy.

Frutigo · Příspěvekod **Frutigo** » 14 bře 2010 16:39

Svazek v jednotce C nem § dnou jmenovku.
S‚riov‚ źˇslo svazku je 680F-AAD4.

Věpis adres ýe C:\WINDOWS\system32

20.09.2002 19:04 221˙184 qmgr.dll
1 soubor…, 221˙184 bajt…

Věpis adres ýe C:\WINDOWS\ERDNT\cache

20.09.2002 19:04 221˙184 qmgr.dll
1 soubor…, 221˙184 bajt…

Frutigo · Příspěvekod **Frutigo** » 14 bře 2010 16:39

no a nebude vadit kdyz tam nebude?
//ten firebird

Příspěvekod **jaro3** » 14 bře 2010 16:52

Když ho nepoužíváš ( Firebird) , tak vadit nebude...

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

FCopy::
C:\WINDOWS\ERDNT\cache\qmgr.dll | c:\windows\ system32\qmgr.dll

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu .

Frutigo · Příspěvekod **Frutigo** » 14 bře 2010 17:00

Frutigo · Příspěvekod **Frutigo** » 14 bře 2010 17:23

ComboFix 10-03-13.03 - Frutigo 14.03.2010 17:12:49.3.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.511.314 [GMT 1:00]
Spuštěný z: c:\documents and settings\Frutigo\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Frutigo\Plocha\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\qmgr.dll . . . je infikován!!

.
--------------- FCopy ---------------

c:\windows\ERDNT\cache\qmgr.dll --> c:\windows\ system32\qmgr.dll
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-14 do 2010-03-14 )))))))))))))))))))))))))))))))
.

2010-03-14 16:12 . 2010-03-14 16:12 -------- d-----w- c:\windows\ system32
2010-03-14 09:58 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-14 09:58 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-14 09:58 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-14 09:58 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-14 09:58 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-14 09:58 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-14 09:58 . 2010-03-09 11:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-14 09:58 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-13 18:56 . 2010-03-13 18:56 -------- d-----w- c:\program files\XP TCPIP Repair
2010-03-13 09:19 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 09:18 . 2010-03-13 09:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 09:18 . 2010-01-07 15:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 20:03 . 2010-03-12 20:03 -------- d-----w- c:\program files\Alwil Software
2010-02-27 14:21 . 2010-02-27 14:21 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 09:55 . 2001-10-25 13:00 73236 ----a-w- c:\windows\system32\perfc005.dat
2010-03-14 09:55 . 2001-10-25 13:00 398472 ----a-w- c:\windows\system32\perfh005.dat
2010-01-30 11:58 . 2010-01-30 11:58 18944 ----a-w- c:\windows\system32\vbCPUInf.dll
2010-01-18 15:10 . 2010-01-18 15:09 -------- d-----w- c:\program files\MzRam
2010-01-18 15:06 . 2010-01-18 15:06 -------- d-----w- c:\program files\CM Data Software
2009-05-03 19:24 . 2009-05-03 19:24 33 ----a-w- c:\program files\Common Files\LanTingSys.txt
2006-10-11 08:04 . 2009-01-11 15:17 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:05 . 2009-01-11 15:17 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2009-01-11 15:17 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2009-01-11 15:17 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2009-01-11 15:17 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-14_09.41.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-03-14 16:19 . 2010-03-14 16:19 16384 c:\windows\Temp\Perflib_Perfdata_9f4.dat
+ 2010-03-14 16:17 . 2010-03-14 16:17 16384 c:\windows\Temp\Perflib_Perfdata_264.dat
+ 2001-10-25 13:00 . 2010-03-14 09:55 62344 c:\windows\system32\perfc009.dat
- 2001-10-25 13:00 . 2010-01-18 15:14 62344 c:\windows\system32\perfc009.dat
+ 2009-07-11 23:02 . 2009-07-11 23:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 23:05 . 2009-07-11 23:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2001-10-25 13:00 . 2010-03-14 09:55 401064 c:\windows\system32\perfh009.dat
- 2001-10-25 13:00 . 2010-01-18 15:14 401064 c:\windows\system32\perfh009.dat
- 2010-03-13 19:06 . 2010-03-14 09:29 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2010-03-13 19:06 . 2010-03-14 09:52 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2010-03-14 09:58 . 2010-03-14 09:58 219648 c:\windows\Installer\3b898.msi
+ 2010-03-14 16:12 . 2002-09-20 18:04 221184 c:\windows\ system32\qmgr.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-11 185872]
"Startup Cleaner"="c:\program files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe" [2006-10-08 122880]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2005-09-06 450560]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 61440]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-20 13312]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
SecureDoc.lnk - c:\program files\MSI\SecureDoc\Logon.exe [2008-12-9 82944]
PC Alert 4.lnk - c:\program files\MSI\PC Alert 4\PCAlert4.exe [2008-12-9 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\System32\logonui.exe"

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [23.12.2008 18:36 642560]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [14.3.2010 10:58 162640]
R1 TRIXX;TRIXX;c:\program files\TRIXX\TRIXXDriver.sys [16.8.2005 12:17 15360]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [10.12.2008 16:27 222456]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [21.5.2004 1:30 114944]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2.8.2005 22:10 32512]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: Download with &Shareaza - d:\program files\Morpheus Music\Plugins\RazaWebHook.dll/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Frutigo\Data aplikací\Mozilla\Firefox\Profiles\nwe5paog.default\
FF - prefs.js: browser.startup.homepage - seznam.cz
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 17:19
Windows 5.1.2600 Service Pack 1 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x82FA30E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x82fa30e8
\Driver\ACPI -> ACPI.sys @ 0xf8548740
\Driver\atapi -> atapi.sys @ 0xf84f3510
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x80559f4b
ParseProcedure -> ntoskrnl.exe @ 0x805829d5
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x80559f4b
ParseProcedure -> ntoskrnl.exe @ 0x805829d5
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf8489d84
PacketIndicateHandler -> NDIS.sys @ 0xf8496480
SendHandler -> NDIS.sys @ 0xf8477933
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\System32\ODBC32.dll
c:\windows\System32\ginamsi.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(876)
c:\windows\System32\dssenh.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ssoftsrv.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Celkový čas: 2010-03-14 17:22:22 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-14 16:22
ComboFix2.txt 2010-03-14 15:14
ComboFix3.txt 2010-03-14 09:47

Před spuštěním: 4 883 054 592
Po spuštění: 4 851 449 856

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 7CC1AE81AB618C195C960B9810CC028D

Opet Virus protector Vyřešeno

Re: Opet Virus protector

Re: Opet Virus protector

Re: Opet Virus protector

Re: Opet Virus protector

Re: Opet Virus protector

Re: Opet Virus protector

Re: Opet Virus protector

Re: Opet Virus protector

Re: Opet Virus protector

Re: Opet Virus protector

Re: Opet Virus protector

Re: Opet Virus protector

Kdo je online