Win32/Mebroot.K

[jeffino]

Takze dalsia varka logov...

------------------------------------------------------------------------------------------

SDFix: Version 1.210
Run by Admin on çt 31.07.2008 at 19:37

Microsoft Windows XP [Verzia 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :

Name :
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

Path :
\??\C:\WINDOWS\TEMP\14EC.tmp

{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 19:43:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\need for speed\\Speed.exe"="E:\\need for speed\\Speed.exe:*:Disabled:Speed"
"C:\\WINDOWS\\System32\\dpvsetup.exe"="C:\\WINDOWS\\System32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Disabled:ICQ Lite"
"D:\\Mimi\\Hry\\TTDX\\TTDLOADW.OVL"="D:\\Mimi\\Hry\\TTDX\\TTDLOADW.OVL:*:Disabled:TTDLOADW"
"C:\\WINDOWS\\System32\\ftp.exe"="C:\\WINDOWS\\System32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Totalcmd\\TOTALCMD.EXE"="C:\\Program Files\\Totalcmd\\TOTALCMD.EXE:*:Disabled:Total Commander 32 bit international version, file manager replacement for Windows"
"E:\\TrackMania Nations\\TmNationsESWC.exe"="E:\\TrackMania Nations\\TmNationsESWC.exe:*:Enabled:TmNationsESWC"
"E:\\AgeofEmpires3\\empires2.exe"="E:\\AgeofEmpires3\\empires2.exe:*:Enabled:Age of Empires II"
"C:\\WINDOWS\\System32\\dplaysvr.exe"="C:\\WINDOWS\\System32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"D:\\Mimi\\DC++\\DCPlusPlus.exe"="D:\\Mimi\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"E:\\PES5\\game\\PES5.exe"="E:\\PES5\\game\\PES5.exe:*:Disabled:pes5.exe"
"E:\\Call of Duty\\CoDMP.exe"="E:\\Call of Duty\\CoDMP.exe:*:Disabled:CoDMP"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"E:\\FM2007\\fm.exe"="E:\\FM2007\\fm.exe:*:Enabled:Football Manager 2007"
"E:\\Starcraft\\StarCraft.exe"="E:\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"E:\\HoMaMIII\\HEROES3.EXE"="E:\\HoMaMIII\\HEROES3.EXE:*:Enabled:Heroes of Might and MagicR III"
"E:\\AoE2\\empires2.exe"="E:\\AoE2\\empires2.exe:*:Enabled:Age of Empires II"
"E:\\FarCry\\Bin32\\FarCry.exe"="E:\\FarCry\\Bin32\\FarCry.exe:*:Enabled:Far Cry"
"E:\\Boiling Point - Cesta do pekel\\XENUS.EXE"="E:\\Boiling Point - Cesta do pekel\\XENUS.EXE:*:Disabled:XENUS"
"E:\\Football Manager 2008\\fm.exe"="E:\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Mar 2008 568 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"
Mon 3 Mar 2008 5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 22 Mar 2007 28,672 ...H. --- "C:\Documents and Settings\Admin\Application Data\Microsoft\Word\~WRL0005.tmp"

Finished!

------------------------------------------------------------------------------------------

ComboFix 08-07-31.01 - Admin 2008-07-31 19:49:28.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.81 [GMT 1:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Antispyware_Spybot - Search & Destroy
C:\Program Files\Antispyware_Spybot - Search & Destroy\advcheck.dll
C:\Program Files\Antispyware_Spybot - Search & Destroy\aports.dll
C:\Program Files\Antispyware_Spybot - Search & Destroy\blindman.exe
C:\Program Files\Antispyware_Spybot - Search & Destroy\borlndmm.dll
C:\Program Files\Antispyware_Spybot - Search & Destroy\Default configuration.ini
C:\Program Files\Antispyware_Spybot - Search & Destroy\delphimm.dll
C:\Program Files\Antispyware_Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
C:\Program Files\Antispyware_Spybot - Search & Destroy\Dummies\dummy.dap.gif
C:\Program Files\Antispyware_Spybot - Search & Destroy\Dummies\dummy.data.xml
C:\Program Files\Antispyware_Spybot - Search & Destroy\Dummies\dummy.default.gif
C:\Program Files\Antispyware_Spybot - Search & Destroy\Dummies\dummy.related.htm
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Brasil.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Cesky.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Cesky.Resident.chm
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Deutsch.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\English.chm
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\English.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\English.Resident.chm
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Espanol.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Francais.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Italiano.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Japanese.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Nederlands.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Polski.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Slovensky.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Slovensky.Resident.chm
C:\Program Files\Antispyware_Spybot - Search & Destroy\Help\Srpski.license.txt
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Browserpages.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\CLSIDs.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Cookies.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Cookies.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Dialer.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Dialer.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\DialerC.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Domains.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\HeavyDuty.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Hijackers.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\HijackersC.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Keyloggers.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\KeyloggersC.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Logs.uts
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\LSP.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\LSP.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Malware.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\MalwareC.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\OperaPlugins.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\ProcWatch.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\PUPS.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\PUPSC.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\RegDFLinks.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\RegWatch.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Revision.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Revision.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Searchpages.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Security.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\SecurityC.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Services.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Spybots.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\SpybotsC.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Startup.tnfo
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Targets.nfo
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Tracks.uti
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\Trojans.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\TrojansC.sbi
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\URL-Blacklist.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Includes\X509White.sbs
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Arabic.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Bosanski.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Brasil.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Bulgarski.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Catalan.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Cesky.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Dansk.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Deutsch.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Eesti.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\English.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Espanol.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Esperanto.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Euskera.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Farsi.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Francais.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Galego.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Greek.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Hebrew.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Hrvatski.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Chinese (simplified).sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Chinese (traditional).sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Italiano.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Japanese.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Korean.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Latvian.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Letzebuergesch.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Lietuviu.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Magyar.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Makedonski.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Melayu.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Nederlands.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Norsk.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Polski.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Portugues.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Romaneste.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Russkiy.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Shqip.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Slovenscina.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Slovensky.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Srpski.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Suomi.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Svenska.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Thai.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Turkce.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Ukrainian.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\Languages\Uzbek.sbl
C:\Program Files\Antispyware_Spybot - Search & Destroy\messages.zres
C:\Program Files\Antispyware_Spybot - Search & Destroy\OptOut.ini
C:\Program Files\Antispyware_Spybot - Search & Destroy\Plugins\TCPIPAddress.dll
C:\Program Files\Antispyware_Spybot - Search & Destroy\SDHelper.dll
C:\Program Files\Antispyware_Spybot - Search & Destroy\Skins\Colorblind.ini
C:\Program Files\Antispyware_Spybot - Search & Destroy\Skins\Italia.ini
C:\Program Files\Antispyware_Spybot - Search & Destroy\Skins\Italia.jpg
C:\Program Files\Antispyware_Spybot - Search & Destroy\Skins\Peace.ini
C:\Program Files\Antispyware_Spybot - Search & Destroy\Skins\Peace.jpg
C:\Program Files\Antispyware_Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Antispyware_Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Antispyware_Spybot - Search & Destroy\Tools.dll
C:\Program Files\Antispyware_Spybot - Search & Destroy\unins000.dat
C:\Program Files\Antispyware_Spybot - Search & Destroy\unins000.exe
C:\Program Files\Antispyware_Spybot - Search & Destroy\UnzDll.dll
C:\Program Files\Antispyware_Spybot - Search & Destroy\Update.exe
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\advcheck.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\advcheck15.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\advcheck151.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\advcheck152.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\advcheck153.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\clsid.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\desc.english.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\downloaded.ini
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\help.cesky.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\help.english.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\helpres.cesky.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\helpres.english.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\helpres.slovensky.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\includes.dialer.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\includes.hijackers.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\includes.keyloggers.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\includes.malware.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\includes.pups.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\includes.security.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\includes.spybots.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\includes.trojans.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\includes.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\lang.cesky.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\lang.english.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\lang.slovensky.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\mainapp152.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\online.ini
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\plugtcpip.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\sbsd152upd.exe
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\sbsd152upd.wem
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\skins.main.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\startup.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\tools.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\tools15.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\Updates\tools212.zip
C:\Program Files\Antispyware_Spybot - Search & Destroy\ZipDll.dll
C:\Program Files\Common Files\{10C52~1
C:\Program Files\Common Files\{10C52~2
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\mhjnfpskaq.dat
C:\WINDOWS\system32\mhjnfpskaq_nav.dat
C:\WINDOWS\system32\mhjnfpskaq_navps.dat
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\obmtjiuvsn_navtmp.dat
C:\WINDOWS\system32\trdphnu_navtmp.dat
C:\WINDOWS\system32\valeva.dat
C:\WINDOWS\system32\valeva.exe
C:\WINDOWS\system32\valeva_nav.dat
C:\WINDOWS\system32\valeva_navps.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{DEF85C80-216A-43AB-AF70-1665EDBE2780}


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2009-04-08 11:36 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2009-04-08 11:36 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2009-04-08 11:32 . 2009-04-08 11:32 <DIR> d-------- C:\Program Files\ESET
2009-03-02 15:46 . 2009-03-02 15:46 <DIR> d-------- C:\Program Files\Opera
2009-02-25 14:54 . 2006-02-28 08:53 2,936,832 --a------ C:\WINDOWS\system32\MA2_6.scr
2009-01-31 15:14 . 2009-01-31 15:14 <DIR> d--hs---- C:\FOUND.001
2009-01-22 22:10 . 2004-08-04 09:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2009-01-22 20:32 . 2009-01-22 20:32 <DIR> d-------- C:\Program Files\Winamp
2009-01-22 20:32 . 2007-03-08 00:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2009-01-04 20:25 . 2009-01-04 20:25 <DIR> d--hs---- C:\FOUND.000
2008-07-31 19:36 . 2008-07-31 19:36 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-07-31 19:35 . 2008-07-31 19:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-31 19:31 . 2008-07-31 19:31 <DIR> d-------- C:\SDFix
2008-07-31 19:17 . 2008-07-31 19:17 <DIR> d-------- C:\Documents and Settings\Admin\DoctorWeb
2008-07-30 19:01 . 2008-07-30 19:01 <DIR> d--hs---- C:\FOUND.002
2008-07-16 08:59 . 2008-07-16 08:59 <DIR> d-------- C:\Program Files\QIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 19:32 --------- d-----w C:\Documents and Settings\Admin\Application Data\Winamp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-15 11:42 4112384]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-07-15 11:42 81920]
"OM_Monitor"="C:\Program Files\OLYMPUS Master\FirstStart.exe" [2005-11-29 19:19 40960]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"nwiz"="nwiz.exe" [2004-07-15 11:42 843776 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 11:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="zHotkey.exe" [2003-07-29 18:06 515584 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 09:09 36864 C:\WINDOWS\ShowWnd.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:56 15360]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
SaveSnap.lnk.disabled [2007-09-19 21:24:12 646]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office2000\Office\OSA9.EXE [1999-02-18 02:05:56 65588]
HP Digital Imaging Monitor.lnk.disabled [2006-12-24 21:10:12 1718]
InterVideo WinCinema Manager.lnk.disabled [2004-09-21 18:56:28 1687]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" -minimize
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\WINDOWS\\System32\\ftp.exe"=
"C:\\Program Files\\Totalcmd\\TOTALCMD.EXE"=
"C:\\WINDOWS\\System32\\dplaysvr.exe"=
"E:\\Call of Duty\\CoDMP.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"E:\\AoE2\\empires2.exe"=
"E:\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 prodrv03;Star Force copy protection driver v3;C:\WINDOWS\system32\drivers\prodrv03.sys [2004-10-07 19:32]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 08:04]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 12:00]
S3 MapMem;MapMem;F:\mapmem.sys []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-{10C52ED5-0965-1051-0308-0408010301a5} - C:\Program Files\Common Files\{10C52ED5-0965-1051-0308-0408010301a5}\Update.exe
Notify-WRNotifier - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\gic2oh86.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.zoznam.sk/
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla\plugins\nppdf32.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 19:53:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"CHotkey"="zHotkey.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ESET\ESET SMART SECURITY\EKRN.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2008-07-31 19:55:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-31 18:55:38

Pre-Run: 7,325,425,664 bytes free
Post-Run: 7,351,762,944 vo–něch bajtov

325

------------------------------------------------------------------------------------------

[stell]

Ok,uz sa to rysuje.teraz kym ja toto vsetko vylustim.spust WEB CUREITA na USB>kluce vlastne sprav komplet sken.Bude to trvat cc2-3 hodiny ale ak nestihnem dnes tak zajtra to dokoncime. OK
Nezabudni zafajknut vsetko>aj USB,FLASH>strc vsetko.A potom nahlas co nasiel.

[jeffino]

Čiže mám zadať v Dr.Webbovi "Vlastné nastavenia" a zafajknúť USB Disk?

edit: Takto som to urobil a trvalo to asi minútu. Takže to je asi zle. Čiže mám dať úplnú kontrolu, kde mi skontroluje všetky disky?

[stell]

Čiže mám dať úplnú kontrolu, kde mi skontroluje všetky disky?

Ano presne tak.

[jeffino]

Ďakujem, test sa už robí.
Chcel by som sa spýtať, či sa tento Dr.Web používa (resp. či by ste ho odporúčili) ako štandardný antivírak alebo len v prípade, keď ostatné veci zlyhajú?
Dúfam, že neotravujem veľmi.

[stell]

No pockaj to sa musim poradit nakolko WEB CUREIT sa pouziva ako jednorazovy skener podobne ako MWAV.

[stell]

Takto vyzera to tak ze WEB CUREIT nemozes pouzivat ako standardny Antivirak nakolko nema Rezidentny stit.Na taketo cistenie je vynikajuce a naco to kupovat.
Takto ak sa skonci sken spravis toto:
Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex:

Kód: Vybrat vše

KILLALL::

Rootkit::
C:\WINDOWS\TEMP\14EC.tmp 

Driver::
{DEF85C80-216A-43AB-AF70-1665EDBE2780}

Folder::
C:\FOUND.001
C:\FOUND.000
C:\FOUND.002
C:\SDFix

Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :


Po skonceni skenu vlož log čo ComboFix vytvorí+novy HiJackThis.log+Novy mbr.exe>log>ale nechaj aj USB>kluc ked spustis mbr.exe.
To je teraz uz rana istoty

[jeffino]

Takže konečne sa skončil ten test. Takže toto mi Dr.Web našiel, pričom na USB disku bolo všetko čisté.


RegUBP2b-Admin.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Vymazané;

RegUBP2b-Admin.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Vymazané;

C2152591d01\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\gic2oh86.default\Cache\C2152591d01;Program.PsExec.171;;

C2152591d01;C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\gic2oh86.default\Cache;Archív obsahuje infikované objekty;Presunuté;

B02E7B0Dd01;C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Profiles\default\Cache;Win32.HLLM.Graz;Vymazané;

132B5313d01;C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Profiles\default\Cache;Win32.HLLM.Graz;Vymazané;

SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Admin\Desktop\SDFix.exe;Tool.Prockill;;

SDFix.exe;C:\Documents and Settings\Admin\Desktop;Archív obsahuje infikované objekty;;

ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Admin\Desktop\ComboFix.exe;Program.PsExec.171;;

ComboFix.exe;C:\Documents and Settings\Admin\Desktop;Archív obsahuje infikované objekty;;

A0170784.EXE;C:\System Volume Information\_restore{34F63E1D-5E28-4939-A618-7A6F5C996336}\RP936;Program.PsExec.170;;

A0170823.reg;C:\System Volume Information\_restore{34F63E1D-5E28-4939-A618-7A6F5C996336}\RP936;Trojan.StartPage.1505;Vymazané;

A0170824.reg;C:\System Volume Information\_restore{34F63E1D-5E28-4939-A618-7A6F5C996336}\RP936;Trojan.StartPage.1505;Vymazané;

Process.exe;C:\SDFix\SDFix\apps;Tool.Prockill;;

------------------------------------------------------------------------------------------
edit: Mam aj kompletny log, ten je ale straaaasne dlhy, ale v pripade potreby ho rad poskytnem.

[jeffino]

No a nakoniec vsetky logy (dufam, ze posledne ).

---------------------------------------------------------------------------------------------
ComboFix 08-07-31.01 - Admin 2008-08-01 0:17:10.2 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.83 [GMT 1:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.000
C:\FOUND.000\FILE0000.CHK
C:\FOUND.000\FILE0001.CHK
C:\FOUND.000\FILE0002.CHK
C:\FOUND.000\FILE0003.CHK
C:\FOUND.000\FILE0004.CHK
C:\FOUND.000\FILE0005.CHK
C:\FOUND.000\FILE0006.CHK
C:\FOUND.000\FILE0007.CHK
C:\FOUND.000\FILE0008.CHK
C:\FOUND.000\FILE0009.CHK
C:\FOUND.000\FILE0010.CHK
C:\FOUND.000\FILE0011.CHK
C:\FOUND.000\FILE0012.CHK
C:\FOUND.001
C:\FOUND.001\FILE0000.CHK
C:\FOUND.001\FILE0001.CHK
C:\FOUND.001\FILE0002.CHK
C:\FOUND.002
C:\FOUND.002\FILE0000.CHK
C:\FOUND.002\FILE0001.CHK
C:\FOUND.002\FILE0002.CHK
C:\FOUND.002\FILE0003.CHK
C:\FOUND.002\FILE0004.CHK
C:\FOUND.002\FILE0005.CHK
C:\FOUND.002\FILE0006.CHK
C:\FOUND.002\FILE0007.CHK
C:\FOUND.002\FILE0008.CHK
C:\FOUND.002\FILE0009.CHK
C:\FOUND.002\FILE0010.CHK
C:\FOUND.002\FILE0011.CHK
C:\FOUND.002\FILE0012.CHK
C:\SDFix
C:\SDFix\SDFix\apps\assosfix.reg
C:\SDFix\SDFix\apps\cliptext.exe
C:\SDFix\SDFix\apps\download.exe
C:\SDFix\SDFix\apps\dummy.sys
C:\SDFix\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\SDFix\apps\ERDNT.E_E
C:\SDFix\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\SDFix\apps\ERUNT.EXE
C:\SDFix\SDFix\apps\ERUNT.LOC
C:\SDFix\SDFix\apps\fix.reg
C:\SDFix\SDFix\apps\FixBH.reg
C:\SDFix\SDFix\apps\FixComponents.reg
C:\SDFix\SDFix\apps\FIXCU.reg
C:\SDFix\SDFix\apps\FIXLM.reg
C:\SDFix\SDFix\apps\FixPath.exe
C:\SDFix\SDFix\apps\FixRedir.reg
C:\SDFix\SDFix\apps\FixSchedule.reg
C:\SDFix\SDFix\apps\FixWebCheck.reg
C:\SDFix\SDFix\apps\fixXP.reg
C:\SDFix\SDFix\apps\FixXPsp2.reg
C:\SDFix\SDFix\apps\grep.exe
C:\SDFix\SDFix\apps\HaxdFix.reg
C:\SDFix\SDFix\apps\HPFix.reg
C:\SDFix\SDFix\apps\HPFix2.reg
C:\SDFix\SDFix\apps\HPFix3.reg
C:\SDFix\SDFix\apps\HPFix4.reg
C:\SDFix\SDFix\apps\HPFix5.reg
C:\SDFix\SDFix\apps\HPFix6.reg
C:\SDFix\SDFix\apps\HPFix7.reg
C:\SDFix\SDFix\apps\HPFix8.reg
C:\SDFix\SDFix\apps\HPFix9.reg
C:\SDFix\SDFix\apps\isadmin.exe
C:\SDFix\SDFix\apps\leg2.txt
C:\SDFix\SDFix\apps\legacy.txt
C:\SDFix\SDFix\apps\legacybk.txt
C:\SDFix\SDFix\apps\locate.com
C:\SDFix\SDFix\apps\LS.exe
C:\SDFix\SDFix\apps\MD5File.exe
C:\SDFix\SDFix\apps\moveex.exe
C:\SDFix\SDFix\apps\MyGcpvFix.reg
C:\SDFix\SDFix\apps\MyGkFix2.reg
C:\SDFix\SDFix\apps\Process.exe
C:\SDFix\SDFix\apps\procs.exe
C:\SDFix\SDFix\apps\psservice.exe
C:\SDFix\SDFix\apps\Rem.txt
C:\SDFix\SDFix\apps\Rem2.txt
C:\SDFix\SDFix\apps\Replace\regedit.exe
C:\SDFix\SDFix\apps\Replace\W2K.exe
C:\SDFix\SDFix\apps\Replace\w2k\beep.sys
C:\SDFix\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\SDFix\apps\Replace\XP.exe
C:\SDFix\SDFix\apps\Replace\xp\beep.sys
C:\SDFix\SDFix\apps\Replace\xp\null.sys
C:\SDFix\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\SDFix\apps\RestartIt!.exe
C:\SDFix\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\SDFix\apps\sc.exe
C:\SDFix\SDFix\apps\sed.exe
C:\SDFix\SDFix\apps\SF.exe
C:\SDFix\SDFix\apps\shutdown.exe
C:\SDFix\SDFix\apps\srv2.txt
C:\SDFix\SDFix\apps\srv2bk.txt
C:\SDFix\SDFix\apps\svc.txt
C:\SDFix\SDFix\apps\svcbk.txt
C:\SDFix\SDFix\apps\swreg.exe
C:\SDFix\SDFix\apps\swsc.exe
C:\SDFix\SDFix\apps\unzip.exe
C:\SDFix\SDFix\apps\vfind.exe
C:\SDFix\SDFix\apps\WINMSG.EXE
C:\SDFix\SDFix\apps\winsec.reg
C:\SDFix\SDFix\apps\zip.exe
C:\SDFix\SDFix\backups\backupreg.zip
C:\SDFix\SDFix\backups\backups.zip
C:\SDFix\SDFix\backups\catchme.log
C:\SDFix\SDFix\backups\HOSTS
C:\SDFix\SDFix\catchme.exe
C:\SDFix\SDFix\dummy.sys
C:\SDFix\SDFix\Report.txt
C:\SDFix\SDFix\RunThis.bat
C:\SDFix\SDFix\SDFIX_ReadMe_Online.url
C:\SDFix\SDFix\sinowaltest1.txt
C:\SDFix\SDFix\W2K_CodecRepair.inf
C:\SDFix\SDFix\XP_CodecRepair.inf
C:\WINDOWS\TEMP\14EC.tmp

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2009-04-08 11:36 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2009-04-08 11:36 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2009-04-08 11:32 . 2009-04-08 11:32 <DIR> d-------- C:\Program Files\ESET
2009-03-02 15:46 . 2009-03-02 15:46 <DIR> d-------- C:\Program Files\Opera
2009-01-22 20:32 . 2009-01-22 20:32 <DIR> d-------- C:\Program Files\Winamp
2008-07-31 19:36 . 2008-07-31 19:36 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-07-31 19:35 . 2008-07-31 19:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-31 19:17 . 2008-07-31 19:17 <DIR> d-------- C:\Documents and Settings\Admin\DoctorWeb
2008-07-16 08:59 . 2008-07-16 08:59 <DIR> d-------- C:\Program Files\QIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 19:32 --------- d-----w C:\Documents and Settings\Admin\Application Data\Winamp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-15 11:42 4112384]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-07-15 11:42 81920]
"OM_Monitor"="C:\Program Files\OLYMPUS Master\FirstStart.exe" [2005-11-29 19:19 40960]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"nwiz"="nwiz.exe" [2004-07-15 11:42 843776 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 11:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="zHotkey.exe" [2003-07-29 18:06 515584 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 09:09 36864 C:\WINDOWS\ShowWnd.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:56 15360]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
SaveSnap.lnk.disabled [2007-09-19 21:24:12 646]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office2000\Office\OSA9.EXE [1999-02-18 02:05:56 65588]
HP Digital Imaging Monitor.lnk.disabled [2006-12-24 21:10:12 1718]
InterVideo WinCinema Manager.lnk.disabled [2004-09-21 18:56:28 1687]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" -minimize
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\WINDOWS\\System32\\ftp.exe"=
"C:\\Program Files\\Totalcmd\\TOTALCMD.EXE"=
"C:\\WINDOWS\\System32\\dplaysvr.exe"=
"E:\\Call of Duty\\CoDMP.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"E:\\AoE2\\empires2.exe"=
"E:\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 prodrv03;Star Force copy protection driver v3;C:\WINDOWS\system32\drivers\prodrv03.sys [2004-10-07 19:32]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 08:04]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 12:00]
S3 MapMem;MapMem;F:\mapmem.sys []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 00:20:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"CHotkey"="zHotkey.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ESET\ESET SMART SECURITY\EKRN.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\HPZIPM12.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-01 0:22:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-31 23:22:26
ComboFix2.txt 2008-07-31 18:55:50

Pre-Run: 7,241,465,856 bytes free
Post-Run: 7,278,575,616 vo–něch bajtov

240


------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:24:46, on 1.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla\firefox.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klephoviny.ic.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS Master\FirstStart.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SaveSnap.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4881 bytes


------------------------------------------------------------------------------------------


Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


------------------------------------------------------------------------------------------


Čo na to hovoríš, stell? ESS mi nič nehlási. Mohlo by to byť v poriadku? Ďakujem za trpezlivosť.

[stell]

Ok.Teraz dobre by bolo keby si nasiel tieto subory zazipsoval a poslal sem:HAVETOZBERNA.
http://www.viry.cz/forum/viewtopic.php?f=15&t=30935

C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted

SDFIX urobil zalohu a malo by to byt TU:
C:\Documents and Settings\Admin\Desktop;Archív
Ak nenajdes nevadi Fixni v HJT:
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Klik v mojom podpise na SVI a vypni obnovu systemu >restart.
Start>spustit>vloz combofix /u ok
Toto vrat do povodneho stavu:

Klik Start.
*otvorte tento pocitac
* nastroje>moznosti zlozky...
* Zobrazenie
* zafajknut zobrazit skryte sobory a zlozky
* vyfajknut skryt chranene subory OS (doporuceno)
* klik ano
* klik OK.

Precisti >PC<CCleaner+T-Cleaner:
http://sweb.cz/Marinus/T-Cleaner.bat

Stáhni, nainstaluj a spusť program CCleaner - http://www.ccleaner.com/download/downloadpage.aspx?f=2
- Klikni na Cleaner -> záložku Windows a stiskni Analyzovat a poté Spustit Cleaner
- Klikni na záložku Aplikace a stiskni Analyzovat a poté Spustit Cleaner
- Klikni na Registry, stiskni Hledej problémy, po dokončení skenování klikni na Opravit vybrané problémy,
-zvol Ano pro vytvoření zálohy, ulož nabídnutý soubor a klikni na Opravit všechny problémy,stale mackat gombik kym na pravej strane v okne CCleaner nebude cisto

Smazte cache Firefoxu bud rucne nebo ATF Cleanerem

po spusteni stazeneho souboru na vas jukne okno:



nahore v menu vyberte zalozku Firefox / Opera a kliknete na ni

zatrhnete chlivek Select All a pak kliknete na tlacitko Empty Selected

upozorneni - prijdete o vsechna hesla ulozena ve FF /Opere!

tlacitkem Exit aplikaci zavrete

ZMEN VSETKY HESLA,ICQ<MSN,Internet...atd>Vsetky c pouzivas.
A tot Vse.Odskusat a napisat.

[jeffino]

Dané tri súbory som zraroval a uploadol na spominanom linku ako "backups.rar". V HJT som tie tri polozky zmazal, vratil nastavenia slozky do povodneho stavu, precistil T-Cleanerom, ATF-Cleanerom a CCleanerom. Nejake badatelne zrychlenie systemu som nezaznamenal, ale vyzerá, že všetko funguje, tak ako má. Mám však ešte dve otázky...
1.) Ako sa mohol ten bordel dostať do PC, keď som nesurforval po žiadnych warez či xxx stránkach a posledný nový software som nainštaloval asi pred 10 dňami?
2.) Je internet banking v tejto chvíli bezpečný? Resp. treba zmeniť aj toto heslo (dá sa to vôbec? ), hoci som ho samozrejme nikde na PC nemal uložené.
Ďakujem veľmi pekne za všetky rady.
P.S. Urobte niečo s SMS-kami, aby aj Slováci vám mohli pomôcť a poďakovať.

[stell]

Ako sa mohol ten bordel dostať do PC, keď som nesurforval po žiadnych warez či xxx stránkach a posledný nový software som nainštaloval asi pred 10 dňami?

Musel si to preniest S USB>klucom

Je internet banking v tejto chvíli bezpečný? Resp. treba zmeniť aj toto heslo (dá sa to vôbec? ), hoci som ho samozrejme nikde na PC nemal uložené

Ano v tejto chvili je bazpecny,ano musis zmenit aj toto heslo choc si to nemal v >PC,ulozene,ci sa da ,no musi sa to dat ja IB>nepouzivam .
Ma l si V <PC<Obrovske priseru menom MEBROOT>to znamena ze dajaky Cinan,alebo RUS>vsetko vie o tvojom pocitaci aj o IB.
A nemas zaco dakovat,maj sa fajn.
SMS>zo Slovenska zatial neide,

[Simicek]

Stelle tak problém už zachvilku zmizí vyrhnem se na to tento týden oki
pošlu ti znova
HJT a MBR

[Simicek]

Budu k tomu něco potřebovat jako:
Flasku nebo něco jíného.
A co ten vir mě zpusobil.a co provádí v mém kompu.

[stell]

Ano sprav mbr.exe a log vloz sem+HJT>potom sa uvidi ako dalej:

Budu k tomu něco potřebovat jako:
Flasku nebo něco jíného.
A co ten vir mě zpusobil.a co provádí v mém kompu.

No Flasku Nie ale ak pouzivas USB kluc,FLASH atd tak tiez treba preverit CUREITOM.
Ten vir ti zozbieral doverne informacie,tvoje hesla,E-mailovu adresu,kontakty vsetko...a odslal bohvie kde a komu.Takze vedia aj to ze ake cislo topanky nosis,co sa ti snivalo no vsetko.