Win32/Mebroot.K

[miccal]

log:

ComboFix 08-07-15.4 - Pepé 2008-07-17 15:57:54.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.167 [GMT 2:00]
Running from: C:\Documents and Settings\Pepé\Plocha\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GB
-------\Legacy_{DEF85C80-216A-43AB-AF70-1665EDBE2780}


((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-17 15:13 . 2008-07-17 15:13 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-17 15:09 . 2008-07-17 15:30 <DIR> d-------- C:\SDFix
2008-07-14 18:35 . 2008-07-14 18:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-06 15:25 . 2008-07-06 15:25 <DIR> d-------- C:\WINDOWS\system32\Lessons
2008-06-28 14:23 . 2008-06-28 14:23 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-19 23:48 . 2008-06-19 23:49 <DIR> d-------- C:\Program Files\TheSage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 14:03 40,906,784 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-17 14:02 480,404 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-14 16:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 16:07 --------- d-----w C:\Program Files\Bonjour
2008-07-05 14:25 --------- d-----w C:\Program Files\Vitware
2008-06-28 12:23 --------- d-----w C:\Program Files\Common Files\Real
2008-06-28 12:22 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-06-28 12:22 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-06-27 04:26 24,820 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-06-24 14:11 --------- d-----w C:\Program Files\ICQToolbar
2008-06-10 16:56 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-10 16:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 16:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-06-03 16:23 --------- d-----w C:\Program Files\iTunes
2008-06-03 16:23 --------- d-----w C:\Program Files\iPod
2008-06-03 16:21 --------- d-----w C:\Program Files\QuickTime
2008-05-28 20:31 --------- d-----w C:\Program Files\Java
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 16:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 17:28 790528]
"SMail"="C:\Program Files\Seznam\Postak\Postak.exe" [2006-05-18 15:36 450560]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-01-23 13:09 675840]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-28 14:22 185896]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 16:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 00:04]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-27 14:10:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 16:03:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-17 16:10:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-17 14:09:13

Adresářů: 8, Volných bajtů: 3,441,688,576
Adres ý…: 10, Volněch bajt…: 3,946,696,704

104

[stell]

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex:

Kód: Vybrat vše

Folder::
C:\SDFix

DirLook::
C:\WINDOWS\system32\Lessons

Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :


Po skonceni skenu vlož log čo ComboFix vytvorí+novy HiJackThis.log[/b

[miccal]

combofix log :

ComboFix 08-07-15.4 - Pepé 2008-07-17 16:33:22.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.92 [GMT 2:00]
Running from: C:\Documents and Settings\Pepé\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pepé\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FixComponents.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixSchedule.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\grep.exe
C:\SDFix\apps\HaxdFix.reg
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\HPFix2.reg
C:\SDFix\apps\HPFix3.reg
C:\SDFix\apps\HPFix4.reg
C:\SDFix\apps\HPFix5.reg
C:\SDFix\apps\HPFix6.reg
C:\SDFix\apps\HPFix7.reg
C:\SDFix\apps\HPFix8.reg
C:\SDFix\apps\HPFix9.reg
C:\SDFix\apps\isadmin.exe
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\procs.exe
C:\SDFix\apps\psservice.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\regedit.exe
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\w2k\beep.sys
C:\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Replace\xp\beep.sys
C:\SDFix\apps\Replace\xp\null.sys
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\sed.exe
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\srv2bk.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\vfind.exe
C:\SDFix\apps\WINMSG.EXE
C:\SDFix\apps\winsec.reg
C:\SDFix\apps\zip.exe
C:\SDFix\backups\backupreg.zip
C:\SDFix\backups\backups.zip
C:\SDFix\backups\HOSTS
C:\SDFix\catchme.exe
C:\SDFix\dummy.sys
C:\SDFix\Report.txt
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url
C:\SDFix\sinowaltest1.txt
C:\SDFix\W2K_CodecRepair.inf
C:\SDFix\XP_CodecRepair.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-17 16:10 . 2008-07-17 16:10 <DIR> d-------- C:\Documents and Settings\PepÚ
2008-07-17 15:13 . 2008-07-17 15:13 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-17 11:08 . 2008-07-17 11:08 <DIR> d-------- C:\Documents and Settings\Pepé\DoctorWeb
2008-07-17 11:08 . 2008-07-17 11:08 <DIR> d-------- C:\Documents and Settings\Pepé\DoctorWeb
2008-07-14 18:35 . 2008-07-14 18:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-14 18:35 . 2008-07-14 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Lavasoft
2008-07-06 15:25 . 2008-07-06 15:25 <DIR> d-------- C:\WINDOWS\system32\Lessons
2008-06-28 14:23 . 2008-06-28 14:23 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-19 23:48 . 2008-06-19 23:49 <DIR> d-------- C:\Program Files\TheSage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 14:36 40,947,744 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-17 14:02 480,404 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-14 16:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 16:29 --------- d-----w C:\Documents and Settings\Pepé\Data aplikací\Lavasoft
2008-07-14 16:07 --------- d-----w C:\Program Files\Bonjour
2008-07-05 14:25 --------- d-----w C:\Program Files\Vitware
2008-06-28 12:23 --------- d-----w C:\Program Files\Common Files\Real
2008-06-28 12:22 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-06-28 12:22 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-06-27 04:26 24,820 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-06-24 14:11 --------- d-----w C:\Program Files\ICQToolbar
2008-06-10 16:56 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-10 16:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 16:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-06-03 16:23 --------- d-----w C:\Program Files\iTunes
2008-06-03 16:23 --------- d-----w C:\Program Files\iPod
2008-06-03 16:22 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Apple Computer
2008-06-03 16:21 --------- d-----w C:\Program Files\QuickTime
2008-05-28 20:31 --------- d-----w C:\Program Files\Java
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\Lessons ----

2006-11-15 01:39 9412 --a------ C:\WINDOWS\system32\Lessons\Travelling and Tourism.txt
2006-11-15 01:39 8720 --a------ C:\WINDOWS\system32\Lessons\Animals - Mammals.txt
2006-11-15 01:39 8198 --a------ C:\WINDOWS\system32\Lessons\Health and Illness.txt
2006-11-15 01:39 7836 --a------ C:\WINDOWS\system32\Lessons\In the City.txt
2006-11-15 01:39 7733 --a------ C:\WINDOWS\system32\Lessons\School.txt
2006-11-15 01:39 706 --a------ C:\WINDOWS\system32\Lessons\Days of the Week.txt
2006-11-15 01:39 6762 --a------ C:\WINDOWS\system32\Lessons\On the Road.txt
2006-11-15 01:39 6584 --a------ C:\WINDOWS\system32\Lessons\Food.txt
2006-11-15 01:39 652 --a------ C:\WINDOWS\system32\Lessons\Numbers 11-20.txt
2006-11-15 01:39 6290 --a------ C:\WINDOWS\system32\Lessons\Human Body.txt
2006-11-15 01:39 6257 --a------ C:\WINDOWS\system32\Lessons\Describing People.txt
2006-11-15 01:39 6140 --a------ C:\WINDOWS\system32\Lessons\Religion.txt
2006-11-15 01:39 6130 --a------ C:\WINDOWS\system32\Lessons\Shopping.txt
2006-11-15 01:39 5925 --a------ C:\WINDOWS\system32\Lessons\Computing.txt
2006-11-15 01:39 592 --a------ C:\WINDOWS\system32\Lessons\Numbers 20-100.txt
2006-11-15 01:39 5766 --a------ C:\WINDOWS\system32\Lessons\Clothing.txt
2006-11-15 01:39 5745 --a------ C:\WINDOWS\system32\Lessons\Tools.txt
2006-11-15 01:39 564 --a------ C:\WINDOWS\system32\Lessons\Numbers 0-10.txt
2006-11-15 01:39 5547 --a------ C:\WINDOWS\system32\Lessons\Character.txt
2006-11-15 01:39 5430 --a------ C:\WINDOWS\system32\Lessons\On the Beach.txt
2006-11-15 01:39 5331 --a------ C:\WINDOWS\system32\Lessons\Military.txt
2006-11-15 01:39 5092 --a------ C:\WINDOWS\system32\Lessons\Jobs.txt
2006-11-15 01:39 4873 --a------ C:\WINDOWS\system32\Lessons\Money.txt
2006-11-15 01:39 4825 --a------ C:\WINDOWS\system32\Lessons\Music.txt
2006-11-15 01:39 4594 --a------ C:\WINDOWS\system32\Lessons\Weather.txt
2006-11-15 01:39 4494 --a------ C:\WINDOWS\system32\Lessons\In the Kitchen.txt
2006-11-15 01:39 4489 --a------ C:\WINDOWS\system32\Lessons\Daily Routine.txt
2006-11-15 01:39 4400 --a------ C:\WINDOWS\system32\Lessons\Horrors.txt
2006-11-15 01:39 4304 --a------ C:\WINDOWS\system32\Lessons\Shops.txt
2006-11-15 01:39 4301 --a------ C:\WINDOWS\system32\Lessons\Body Language.txt
2006-11-15 01:39 4289 --a------ C:\WINDOWS\system32\Lessons\In the Bathroom.txt
2006-11-15 01:39 4241 --a------ C:\WINDOWS\system32\Lessons\Scenery.txt
2006-11-15 01:39 4160 --a------ C:\WINDOWS\system32\Lessons\Trains.txt
2006-11-15 01:39 4108 --a------ C:\WINDOWS\system32\Lessons\Easy Textbook Instructions.txt
2006-11-15 01:39 4097 --a------ C:\WINDOWS\system32\Lessons\Home Appliances.txt
2006-11-15 01:39 4013 --a------ C:\WINDOWS\system32\Lessons\Easy House.txt
2006-11-15 01:39 4000 --a------ C:\WINDOWS\system32\Lessons\Relationships.txt
2006-11-15 01:39 3763 --a------ C:\WINDOWS\system32\Lessons\In the Office.txt
2006-11-15 01:39 3683 --a------ C:\WINDOWS\system32\Lessons\Cooking.txt
2006-11-15 01:39 3634 --a------ C:\WINDOWS\system32\Lessons\Vehicles.txt
2006-11-15 01:39 3612 --a------ C:\WINDOWS\system32\Lessons\Easy Food.txt
2006-11-15 01:39 3507 --a------ C:\WINDOWS\system32\Lessons\Winter Wonderland.txt
2006-11-15 01:39 3503 --a------ C:\WINDOWS\system32\Lessons\Animals - Birds.txt
2006-11-15 01:39 3488 --a------ C:\WINDOWS\system32\Lessons\Television.txt
2006-11-15 01:39 3423 --a------ C:\WINDOWS\system32\Lessons\Movies.txt
2006-11-15 01:39 3311 --a------ C:\WINDOWS\system32\Lessons\Everyday Objects.txt
2006-11-15 01:39 3301 --a------ C:\WINDOWS\system32\Lessons\Animals - Insects.txt
2006-11-15 01:39 3233 --a------ C:\WINDOWS\system32\Lessons\In the Bedroom.txt
2006-11-15 01:39 3194 --a------ C:\WINDOWS\system32\Lessons\At the Post Office.txt
2006-11-15 01:39 3162 --a------ C:\WINDOWS\system32\Lessons\Animals - Water animals.txt
2006-11-15 01:39 3113 --a------ C:\WINDOWS\system32\Lessons\Weddings.txt
2006-11-15 01:39 3061 --a------ C:\WINDOWS\system32\Lessons\Easy School.txt
2006-11-15 01:39 2931 --a------ C:\WINDOWS\system32\Lessons\Food - Vegetables.txt
2006-11-15 01:39 2911 --a------ C:\WINDOWS\system32\Lessons\Easy Body.txt
2006-11-15 01:39 2891 --a------ C:\WINDOWS\system32\Lessons\Describing Food.txt
2006-11-15 01:39 2870 --a------ C:\WINDOWS\system32\Lessons\Easy Sports.txt
2006-11-15 01:39 2867 --a------ C:\WINDOWS\system32\Lessons\Magic.txt
2006-11-15 01:39 2862 --a------ C:\WINDOWS\system32\Lessons\Drinks.txt
2006-11-15 01:39 2800 --a------ C:\WINDOWS\system32\Lessons\Christmas.txt
2006-11-15 01:39 2787 --a------ C:\WINDOWS\system32\Lessons\Easy Clothes.txt
2006-11-15 01:39 2760 --a------ C:\WINDOWS\system32\Lessons\Easy Travel.txt
2006-11-15 01:39 2748 --a------ C:\WINDOWS\system32\Lessons\Health Problems.txt
2006-11-15 01:39 2727 --a------ C:\WINDOWS\system32\Lessons\Easy Animals.txt
2006-11-15 01:39 2722 --a------ C:\WINDOWS\system32\Lessons\Food - Fruits.txt
2006-11-15 01:39 2695 --a------ C:\WINDOWS\system32\Lessons\Crime and Punishment 1.txt
2006-11-15 01:39 2566 --a------ C:\WINDOWS\system32\Lessons\Space.txt
2006-11-15 01:39 2566 --a------ C:\WINDOWS\system32\Lessons\In the Park.txt
2006-11-15 01:39 2483 --a------ C:\WINDOWS\system32\Lessons\Easy Describing People.txt
2006-11-15 01:39 2465 --a------ C:\WINDOWS\system32\Lessons\Easy Irregular verbs.txt
2006-11-15 01:39 2444 --a------ C:\WINDOWS\system32\Lessons\Easy Jobs.txt
2006-11-15 01:39 2349 --a------ C:\WINDOWS\system32\Lessons\Easy Verbs.txt
2006-11-15 01:39 2280 --a------ C:\WINDOWS\system32\Lessons\Easy Family.txt
2006-11-15 01:39 2253 --a------ C:\WINDOWS\system32\Lessons\Animals - Reptiles and Amphibians.txt
2006-11-15 01:39 2248 --a------ C:\WINDOWS\system32\Lessons\Personal Data.txt
2006-11-15 01:39 2226 --a------ C:\WINDOWS\system32\Lessons\Feelings.txt
2006-11-15 01:39 2125 --a------ C:\WINDOWS\system32\Lessons\Easy Town.txt
2006-11-15 01:39 2076 --a------ C:\WINDOWS\system32\Lessons\Easy Tools.txt
2006-11-15 01:39 1849 --a------ C:\WINDOWS\system32\Lessons\Describing Places.txt
2006-11-15 01:39 1803 --a------ C:\WINDOWS\system32\Lessons\Easy Weather.txt
2006-11-15 01:39 1530 --a------ C:\WINDOWS\system32\Lessons\Easy Character.txt
2006-11-15 01:39 1369 --a------ C:\WINDOWS\system32\Lessons\Months and seasons.txt
2006-11-15 01:39 1114 --a------ C:\WINDOWS\system32\Lessons\Easy Colours.txt
2006-11-15 01:39 11086 --a------ C:\WINDOWS\system32\Lessons\Irregular Verbs.txt
2006-11-15 01:39 10854 --a------ C:\WINDOWS\system32\Lessons\Sports.txt
2006-11-15 01:39 10735 --a------ C:\WINDOWS\system32\Lessons\House.txt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 16:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 17:28 790528]
"SMail"="C:\Program Files\Seznam\Postak\Postak.exe" [2006-05-18 15:36 450560]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-01-23 13:09 675840]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-28 14:22 185896]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 16:49 15360]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
WinCinema Manager.lnk - C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe [2007-08-07 17:01:38 303104]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 01:00:00 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 00:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 00:04]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-27 14:10:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 16:36:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-17 16:39:20
ComboFix-quarantined-files.txt 2008-07-17 14:38:15
ComboFix2.txt 2008-07-17 14:10:26

Adresářů: 8, Volných bajtů: 3,940,507,648
Adresářů: 9, Volných bajtů: 3,920,039,936

270






HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:41:47, on 17.7.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Seznam\Postak\Postak.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Pepé\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6425 bytes

[stell]

Pockaj chvilku lebo nieco studujeme,OK

[stell]

ok,uz je to ok:
Start spustit vloz combofix /u ok
Fixni v HJT:
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
Precisti >PC< CCleanerom:

Stáhni, nainstaluj a spusť program CCleaner - http://www.ccleaner.com/download/downloadpage.aspx?f=2
- Klikni na Cleaner -> záložku Windows a stiskni Analyzovat a poté Spustit Cleaner
- Klikni na záložku Aplikace a stiskni Analyzovat a poté Spustit Cleaner
- Klikni na Registry, stiskni Hledej problémy, po dokončení skenování klikni na Opravit vybrané problémy,
-zvol Ano pro vytvoření zálohy, ulož nabídnutý soubor a klikni na Opravit všechny problémy

A ak si zmenil vsetky hesla je to ok.
Edit/Este nieco zmaz zlozku:C:\WINDOWS\system32\Lessons>su tam len dajake divne .txt.

[miccal]

... no tedy nestačím se divit, jak to všechno zvládnete, navíc se mi tu objevilo přes 5 GB místa.
Všechna čest, děkuji za trpělivost. Posílám SMS a doporučuji.

Díky

[stell]

Ja tiez
Oki dikes za SMS.a nemas zaco dakovat.

[biglimasol]

Zdravim, at dělám co dělám furt se toho trojana nemůžu zbavit, zkoušel jsem všechny postupy co tu jsou a nic. Jedine co jsem zjistil, že neni na systemovém disku, protože po odpojení přidavných disků (1x HDD iDE šuplík, 2xSATA HDD přes řadič) NOD nic nenašel, nenašla by se nějaká rada?

[lukyluk]

Nechci předbíhat fundované rady Stella, ale určitě sem pošli log z mbr.exe. A výsledek po scanu GMERu.

[stell]

Ano presne tak,a Log z HJT.

[biglimasol]

nevím co jsem s PC provedl ale už je to asi fuč, ale ještě PC projedu podle toho návodu SDfix, Combofix a CCleaner a snad to už nic nenajde:D

ale i tak tady jsou log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-18 14:58:43
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF77EA2A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF77F5910]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 86375EB0

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

---- Modules - GMER 1.0.14 ----

Module _________ F774C000-F7764000 (98304 bytes)

---- EOF - GMER 1.0.14 ----


HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:43, on 18.7.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Total Commander\TOTALCMD.EXE
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
H:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Total Commander.lnk = C:\Program Files\Total Commander\TOTALCMD.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Stáhnout FlashGetem - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Stáhnout všechno FlashGetem - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D17062A-7550-4BD0-96C4-4AD2A33CFBDC}: NameServer = 85.13.78.111,10.97.50.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D17062A-7550-4BD0-96C4-4AD2A33CFBDC}: NameServer = 85.13.78.111,10.97.50.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{5D17062A-7550-4BD0-96C4-4AD2A33CFBDC}: NameServer = 85.13.78.111,10.97.50.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5126 bytes



Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[biglimasol]

Sakra, radoval jsem se příliž brzo,

otestoval jeden soubor přes NOD a zasa to píše

MBR sektor 3. fyzického disku - Win32/Mebroot.K trojský kůň

[stell]

OkSprav to takto;
Start>spustit napis: diskmgmt.msc a das sem sreenshot.
Spustis SDFIX>v nudzovom a vloz sem log.
Potom combofix a tiez daj sem log

[biglimasol]

[biglimasol]

SDFix: Version 1.206
Run by Administrator on p  18.07.2008 at 15:39

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

Path :
\??\C:\WINDOWS\TEMP\700.tmp

{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web




Removing Temp Files

ADS Check :