Win32/Mebroot.K

[Simicek]

a pak??

[stell]

Enter.
Ak restartujes a Mackas F-8>objavi sa ti menu tam vyberies nudzovu rezim a stlacis enter,pockas chvilku ....>>suhlas a uz si v nudzovom rezime.

[Simicek]

Pak otevřu adresář a pustim aplikaci RunThis.bat

[stell]

ano,presne tak RunThisBAT>>Precitaj navod este raz aby si to nepoplietol.

[Simicek]

tady je ten kig z SDFix

SDFix: Version 1.213
Run by Diablo Hit ADSL on 2008-08-07 at 09:24

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

Path :
\??\C:\WINDOWS\TEMP\369.tmp

{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Diablo Hit ADSL\Data aplikacˇ\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted
C:\WINDOWS\system32\plugin1.dat - Deleted
C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web


Folder C:\Documents and Settings\Diablo Hit ADSL\Data aplikacˇ\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 10:00:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

IPC error: 2 Systém nemůže nalézt uvedený soubor.
scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 26 Oct 2005 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 26 Oct 2005 56 ..SHR --- "C:\WINDOWS\system32\32CE239226.sys"
Thu 15 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 9 Jan 2008 25,088 ...H. --- "C:\Documents and Settings\Diablo Hit ADSL\Dokumenty\~WRL0790.tmp"
Wed 9 Jan 2008 24,576 ...H. --- "C:\Documents and Settings\Diablo Hit ADSL\Dokumenty\~WRL0542.tmp"
Sun 2 Jul 2006 62,976 ...H. --- "C:\Documents and Settings\Diablo Hit ADSL\Dokumenty\~WRL0002.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a5f16949630e8c407182e4928048db02\BIT13.tmp"
Fri 23 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 20 Jul 2006 444 ...HR --- "C:\Documents and Settings\All Users\Data aplikacˇ\SecuROM\UserData\securom_v7_01G.bak"

Finished!


Mam sem hodit catchme??

[stell]

ok,Teraz nastrkaj vsetko,Flash,Usb kluc ....>klik v mojom podpise na WEB CUREIT a teraz pouzijes len EXPRES SCEN>navod v podpise;

Potom pouzijes Combofix:a combofix.txt vloz sem:

PROSIM CITAJTE POZORNE NAVODY!!!,

Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix -
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

- ComboFix je třeba spustit pod účtem s právy administrátora.
- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano;

A este raz >ANO<


- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna

- Po dokončení skenování, trvajícího maximálně 10-15 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah do svého threadu na forum


- Před použitím ComboFixu je treba vypnout všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary. Mohou zasahovat do činnosti ComboFixu, což může způsobit, že nebude fungovat korektně.
V případě detekce antiviru u ComboFixu se jedná o falešný poplach.

[Simicek]

co všechno nastrkat na USB klíč??
A ještě tohle pls vysvětli
ComboFix je třeba spustit pod účtem s právy administrátora

[stell]

Na USB>kluc nic,ale strc USB>kluc do Vstupu USB.
Combofix spust pod Admin uctom>to znamena ked prihlasis sa do windows aby si mal prava admina a nie obmedzeny ucet ako Guest.

[Simicek]

Ale když se přihlásím tak tam mám jenom můj učet.

[stell]

Ok potom nie je problem prestuduj navod a spust Combofix.

[Simicek]

Kolik asi bude ještě postupu??

[stell]

Pozri sa sem ak chces toto je posledny,a potom sa uvidi.

[Simicek]

ComboFix 08-08-07.01 - Diablo Hit ADSL 2008-08-07 20:33:55.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.140 [GMT 2:00]
Running from: C:\Documents and Settings\Diablo Hit ADSL\Plocha\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Diablo Hit ADSL\Data aplikací\macromedia\Flash Player\#SharedObjects\WSTZG3U4\www.broadcaster.com
C:\Documents and Settings\Diablo Hit ADSL\Data aplikací\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Diablo Hit ADSL\Data aplikací\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Diablo Hit ADSL\Local Settings\Temporary Internet Files\ENCounterSpyConsumer.2.5.1043.0.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-07 20:20 . 2008-08-07 20:20 <DIR> d-------- C:\Documents and Settings\Diablo Hit ADSL\DoctorWeb
2008-08-07 20:14 . 2008-08-07 20:16 11,070,632 --a------ C:\cureit.exe
2008-08-07 20:12 . 2008-08-07 20:12 <DIR> d-------- C:\jirka flash
2008-08-07 19:47 . 2008-08-07 20:21 100,000,000 --a------ C:\pkmCZ_S01E03.part1.rar
2008-08-07 18:42 . 2008-08-07 18:42 <DIR> d-------- C:\Pokemon
2008-08-07 09:16 . 2008-08-07 09:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-07 08:41 . 2008-08-05 13:27 <DIR> d-------- C:\SDFix
2008-08-07 07:09 . 2007-06-08 21:27 <DIR> d-a------ C:\Crack
2008-08-04 08:26 . 2008-08-04 08:30 9,730,075 --a------ C:\vlc-0.8.6f-win32.exe
2008-08-04 08:25 . 2008-08-04 08:30 12,724,973 --a------ C:\klmcodec410.exe
2008-08-03 19:05 . 2008-08-03 19:06 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-03 19:03 . 2008-08-03 19:03 <DIR> d-------- C:\Sunbelt CounterSpy v2.5.1042
2008-08-03 19:02 . 2008-08-03 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Sunbelt Software
2008-08-03 19:01 . 2008-08-03 19:01 <DIR> d-------- C:\CounterSpy
2008-08-03 18:31 . 2008-08-03 19:00 73,491,568 --a------ C:\_Countspy2.5.1042.rar
2008-07-30 08:59 . 2008-07-30 09:00 <DIR> d-------- C:\GameBoy Advence
2008-07-30 08:58 . 2008-07-30 08:58 <DIR> d-------- C:\GameBoy
2008-07-28 21:02 . 2008-07-28 21:02 <DIR> d-------- C:\backups
2008-07-28 11:40 . 2008-07-28 11:40 <DIR> d-------- C:\Documents and Settings\Diablo Hit ADSL\Data aplikací\Talkback
2008-07-27 18:00 . 2008-07-27 18:00 355,333 --a------ C:\Recount-r79128.zip
2008-07-26 23:38 . 2008-07-26 23:37 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-07-26 23:38 . 2008-07-26 23:37 270,336 --a------ C:\WINDOWS\system32\imon.dll
2008-07-24 21:59 . 2008-07-24 22:01 1,325 --a------ C:\WINDOWS\mozver.dat
2008-07-23 21:30 . 2008-07-23 21:30 401,720 --a------ C:\HijackThis.exe
2008-07-22 23:13 . 2008-07-22 23:13 <DIR> d-------- C:\Documents and Settings\Diablo Hit ADSL\Data aplikací\Sunbelt Software
2008-07-22 22:56 . 2008-07-22 23:10 77,896,616 --a------ C:\counterspy.exe
2008-07-12 22:07 . 2008-07-12 22:07 <DIR> d-------- C:\Documents and Settings\Diablo Hit ADSL\Data aplikací\JLC's Software
2008-07-10 19:59 . 2008-08-07 16:56 20,670 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-07-10 19:46 . 2008-07-10 19:46 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-07-10 19:36 . 2008-07-10 19:38 7,421,312 --a------ C:\Kerio_Personal_FireWall_4.3.268.zip
2008-07-10 19:31 . 2008-06-21 04:54 269,736 -ra------ C:\WINDOWS\system32\drivers\SbFw.sys
2008-07-10 19:31 . 2008-06-21 04:54 65,576 --a------ C:\WINDOWS\system32\drivers\SbFwIm.sys
2008-07-09 22:46 . 2008-07-09 22:46 <DIR> d--h----- C:\WINDOWS\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 20:41 301,726 ----a-w C:\wowrm104cz.zip
2008-07-24 08:10 44,712 ----a-w C:\Documents and Settings\Diablo Hit ADSL\Data aplikací\GDIPFONTCACHEV1.DAT
2008-07-01 20:11 2,047,416 ----a-w C:\qip8070.exe
2008-07-01 18:18 1,647,004 ----a-w C:\qip2005pack.exe
2008-06-28 13:53 --------- d-----w C:\Program Files\NOD32 FiX
2008-06-28 08:09 --------- d-----w C:\Documents and Settings\Diablo Hit ADSL\Data aplikací\DivX
2008-06-20 17:42 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:42 247,296 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:42 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:00 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 18:00 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 14:28 19,854,392 ----a-w C:\Norman_Malware_Cleaner.exe
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-05-22 22:22 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-22 22:22 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,290,240 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,290,240 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-03-28 18:05 33 ----a-w C:\Program Files\Common Files\LanTingSys.txt
2005-01-03 18:11 15,386 ----a-w C:\Documents and Settings\Diablo Hit ADSL\BestTimes.dat
2005-10-26 07:49 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-10-26 07:49 56 --sh--r C:\WINDOWS\system32\32CE239226.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Steam"="c:\steam\steam.exe" [2008-03-28 15:20 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-11 18:43 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29 7561216]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"CnxDslTaskBar"="C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe" [2004-04-29 08:00 462848]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-28 20:26 32881]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 15:29 86016]
"PCSuiteTrayApplication"="C:\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-07-26 23:36 917504]
"SBCSTray"="C:\CounterSpy\SBCSTray.exe" [2007-11-28 12:57 698864]
"nwiz"="nwiz.exe" [2006-03-09 15:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-11-13 18:23 62464 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]
"Nokia.PCSync"="C:\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-09 13:23:55 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= dvc.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Diablo Hit ADSL^Nabídka Start^Programy^Po spuštění^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Diablo Hit ADSL\Nabídka Start\Programy\Po spuštění\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-03 19:06]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2006-07-18 12:02]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2006-07-18 12:02]
R1 SbFw;SbFw;C:\WINDOWS\system32\drivers\SbFw.sys [2008-06-21 04:54]
R2 athsgt;athsgt;C:\WINDOWS\system32\DRIVERS\athsgt.sys [2006-05-03 15:21]
R2 limsgt;limsgt;C:\WINDOWS\system32\DRIVERS\limsgt.sys [2006-05-03 15:21]
R3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2004-04-28 18:47]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2004-04-28 18:48]
R3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2004-04-29 07:51]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\sbfwim.sys [2008-06-21 04:54]
S1 SpyEmrg;Spy Emergency Driver;C:\WINDOWS\system32\Drivers\spyemrg.sys []
S2 SbPF.Launcher;SbPF.Launcher;C:\Sunbelt Software\Personal Firewall\SbPFLnch.exe []
S3 ldiskl;ldiskl;C:\DOCUME~1\DIABLO~1\LOCALS~1\Temp\ldiskl.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\CDSTART.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{523c05c4-9c28-11dc-9242-000a4819c49a}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd9dcf83-479e-11d9-92c8-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e594840a-935a-11da-86e0-000a4819c49a}]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f923aa49-84e4-11da-8675-000a4819c49a}]
\Shell\AutoRun\command - E:\Autorun.exe

*Newly Created Service* - PROCEXP90
*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder

2008-08-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
HKCU-Run-LaunchList - C:\Studio 11\LaunchList2.exe
MSConfigStartUp-DAEMON Tools-1033 - C:\DRTools\daemon.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Diablo Hit ADSL\Data aplikací\Mozilla\Firefox\Profiles\5cohetkd.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://cs.www.mozilla.com/cs/firefox/central/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 20:42:43
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-08-07 20:45:27
ComboFix-quarantined-files.txt 2008-08-07 18:45:20

Pre-Run: Volných bajtů: 37,795,037,184
Post-Run: Volných bajtů: 38,698,188,800

214 --- E O F --- 2008-07-09 21:23:55

[stell]

otestujte na VIRUSTOTALu
C:\DOCUME~1\DIABLO~1\LOCALS~1\Temp\ldiskl.sys
C:\WINDOWS\system32\32CE239226.sys
(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledek sem vlozte)

[Simicek]

C:\WINDOWS\system32\32CE239226.sys

to je tento
Soubor 32CE239226.sys přijatý 2008.08.07 21:21:05 (CET)
Současný stav: Dokončeno
Výsledek: 0/36 (0.00%)
Formátované Formátované
Vytisknout výsledky Vytisknout výsledky
Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2008.8.8.0 2008.08.07 -
AntiVir 7.8.1.19 2008.08.07 -
Authentium 5.1.0.4 2008.08.07 -
Avast 4.8.1195.0 2008.08.07 -
AVG 8.0.0.156 2008.08.07 -
BitDefender 7.2 2008.08.07 -
CAT-QuickHeal 9.50 2008.08.07 -
ClamAV 0.93.1 2008.08.07 -
DrWeb 4.44.0.09170 2008.08.07 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6017 2008.08.07 -
Ewido 4.0 2008.08.07 -
F-Prot 4.4.4.56 2008.08.06 -
F-Secure 7.60.13501.0 2008.08.07 -
Fortinet 3.14.0.0 2008.08.07 -
GData 2.0.7306.1023 2008.08.07 -
Ikarus T3.1.1.34.0 2008.08.07 -
K7AntiVirus 7.10.407 2008.08.07 -
Kaspersky 7.0.0.125 2008.08.07 -
McAfee 5356 2008.08.07 -
Microsoft 1.3807 2008.08.07 -
NOD32v2 3337 2008.08.07 -
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.07 -
PCTools 4.4.2.0 2008.08.07 -
Prevx1 V2 2008.08.07 -
Rising 20.56.32.00 2008.08.07 -
Sophos 4.32.0 2008.08.07 -
Sunbelt 3.1.1537.1 2008.08.07 -
Symantec 10 2008.08.07 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.07 -
VBA32 3.12.8.2 2008.08.06 -
ViRobot 2008.8.7.1328 2008.08.07 -
VirusBuster 4.5.11.0 2008.08.07 -
Webwasher-Gateway 6.6.2 2008.08.07 -
Rozšiřující informace
File size: 56 bytes
MD5...: 5532f891c3aa2d9fcae6b4b209e4470e
SHA1..: 080f1346655b9e36b5a19eaa9bc7b5b2823ea1c0
SHA256: 467f76778cd71060190aefb7c8b8bf60231e646e65b4121bdda0eb98576e1654
SHA512: e24a6fe8ceea7200d735cf43876c848ea098a188b2d41ef6caaeff9f2e47e3e2
78b2c7a1de463010ea9f75b62354802eb8022fd3b50271744818a394c3dea0d4
PEiD..: -
PEInfo: -

VAROVÁNÍ VAROVÁNÍ: VirusTotal je služba poskytovaná zdarma společnosti Hispasec Sistemas. Kvalita výsledků není nijak zaručena. Výsledky jsou závislé na tvůrci daného produktu. Vysledky testů nemusí být 100% správné. Tyto výsledky nemusí znamenat, že daný soubor je infikován, nebo čistý!