Zavirovaný PC, žádám o radu.

Zpráva

Acer · #1 Příspěvek od **Acer** » 24 lis 2011 14:21

Zdravím Vás, rád bych se zeptal. Počítač rodičů je celkem zavirován a nevím jak si poradit.
Problémy:
Žádný Antivirus nefunguje, respektive nelze ani nainstalovat. Jediný který šel byl Avast a ten po dvou minutách sám vypnul veškeré štíty.
Připojení na internet nefunkční. Ikonku v rohu mám a bez vykřičníku vše vypadá ok ale po kliknutí na opravit naskočí okno: "Systém Windows nemohl dokončit opravu problému, protože nelze dokončit následující akci: Zajištění nastavení TCP/IP pro připojení se nezdařilo. Nelze pokračovat."
Firewall i aktualizace jsou vyplé a nelze zapnout. Při pokusu o zapnutí firewallu naskočí opět popup s textem: " Nastavení brány firewall systému windows nelze zobrazit, protože není spuštěná příslušná služba. Chcete spustit službu Brána Firewall / Sdílení připojení k internetu (ICS) ? Po kliknutí na Ano naskočí že se spuštění nezdařilo.

Výpis z logu RSIT
---------------------------------------
Logfile of random's system information tool 1.09 (written by random/random)
Run by acer at 2011-11-24 14:16:14
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 221 GB (93%) free of 238 GB
Total RAM: 2037 MB (83% free)

HijackThis download failed

=========Mozilla firefox=========

ProfilePath - C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default

prefs.js - "browser.startup.homepage" - "www.seznam.cz"
prefs.js - "extensions.enabledItems" - "jqs@sun.com:1.0, {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.6, {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.17"
prefs.js - "keyword.URL" - "http://search.icq.com/search/afe_result ... r=1.3.6&q="

"jqs@sun.com"=C:\Program Files\Java\jre6\lib\deploy\jqs\ff

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 10.1 Plugin
"Path"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0]
"Description"=Office Authorization plug-in for NPAPI browsers
"Path"=C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/SharePoint,version=14.0]
"Description"=Microsoft SharePoint Plug-in for Firefox
"Path"=C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@software602.cz/602XML Filler]
"Description"=
"Path"=

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\Adobe Reader]
"Description"=Handles PDFs in-place in Firefox
"Path"=C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd}

C:\Program Files\Mozilla Firefox\components\
binary.manifest
browsercomps.dll
nsIQTScriptablePlugin.xpt

C:\Program Files\Mozilla Firefox\plugins\
nppdf32.dll
npqtplugin.dll
npqtplugin2.dll
npqtplugin3.dll
npqtplugin4.dll
npqtplugin5.dll
npqtplugin6.dll
npqtplugin7.dll
QuickTimePlugin.class

C:\Program Files\Mozilla Firefox\searchplugins\
google.xml
heureka-cz.xml
jyxo-cz.xml
seznam-cz.xml
slunecnice-cz.xml
wikipedia-cz.xml

C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\extensions\
ffxtlbr@babylon.com
{ea614400-e918-4741-9a97-7a972ff7c30b}

C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\
icqplugin-1.xml
icqplugin-2.xml
icqplugin-3.xml
icqplugin-4.xml
icqplugin-5.xml
icqplugin-6.xml
icqplugin-7.xml
icqplugin.xml
Phpnuke.xml

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
Office Document Cache Handler - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL [2010-02-28 561552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-09-03 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-09-03 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2009-01-21 134656]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2009-01-21 166912]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2009-01-21 134656]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2009-01-13 18084864]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2011-09-07 37296]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2011-03-30 937920]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2009-01-21 205824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2008-08-08 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\hp_CLJ_CM1015-CM1017_Full_Solution\setup\HPZnet01.exe"="C:\hp_CLJ_CM1015-CM1017_Full_Solution\setup\HPZnet01.exe:*:Enabled:hpznet01.exe"
"C:\hp_CLJ_CM1015-CM1017_Full_Solution\setup\hppniprint01.exe"="C:\hp_CLJ_CM1015-CM1017_Full_Solution\setup\hppniprint01.exe:*:Enabled:hppniprint01.exe"
"C:\hp_CLJ_CM1015-CM1017_Full_Solution\setup\hppniprint64.exe"="C:\hp_CLJ_CM1015-CM1017_Full_Solution\setup\hppniprint64.exe:*:Enabled:hppniprint64.exe"
"C:\hp_CLJ_CM1015-CM1017_Full_Solution\setup\hppnicifs01.exe"="C:\hp_CLJ_CM1015-CM1017_Full_Solution\setup\hppnicifs01.exe:*:Enabled:hppnicifs01.exe"
"C:\hp_CLJ_CM1015-CM1017_Full_Solution\setup\hpntwkexe.exe"="C:\hp_CLJ_CM1015-CM1017_Full_Solution\setup\hpntwkexe.exe:*:Enabled:hpntwkexe.exe"
"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote"
"C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\USBSetup.exe"="C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\USBSetup.exe:LocalSubNet:Enabled:Instalace zařízení HP"
"C:\WINDOWS\twain_32\Samsung\ScanMgr.exe"="C:\WINDOWS\twain_32\Samsung\ScanMgr.exe:*:Enabled:Scan Manger"
"C:\WINDOWS\twain_32\Samsung\SCX3200\Sscan2io.exe"="C:\WINDOWS\twain_32\Samsung\SCX3200\Sscan2io.exe:*:Enabled:SScanToIO"
"C:\Program Files\ICQ7.2\ICQ.exe"="C:\Program Files\ICQ7.2\ICQ.exe:*:Enabled:ICQ7.2"
"C:\Program Files\ICQ7.2\aolload.exe"="C:\Program Files\ICQ7.2\aolload.exe:*:Enabled:aolload.exe"
"C:\Program Files\TeamViewer\Version6\TeamViewer.exe"="C:\Program Files\TeamViewer\Version6\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application"
"C:\Program Files\Microsoft Office\Office14\CLVIEW.EXE"="C:\Program Files\Microsoft Office\Office14\CLVIEW.EXE:*:Enabled:Microsoft Office Help Viewer"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe:*:Enabled:Sony Ericsson PC Companion"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\Mozilla Firefox\plugin-container.exe"="C:\Program Files\Mozilla Firefox\plugin-container.exe:*:Enabled:Plugin Container for Firefox"
"C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE"="C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE:*:Enabled:Microsoft Application Error Reporting"
"C:\Program Files\VideoLAN\VLC\vlc.exe"="C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player"
"C:\Program Files\Java\jre6\bin\javaw.exe"="C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"="C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE:*:Enabled:Office Source Engine"
"C:\Program Files\HP\HP UT LEDM\bin\hppusg.exe"="C:\Program Files\HP\HP UT LEDM\bin\hppusg.exe:*:Enabled:HP UT LEDM Driver"
"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe:*:Enabled:Adobe Reader and Acrobat Manager"
"C:\Program Files\SamsungPrinterLiveUpdate\SP_Connector.exe"="C:\Program Files\SamsungPrinterLiveUpdate\SP_Connector.exe:*:Enabled:Samsung Printer Connector"
"C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\Drivers\DPInst.exe"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\Drivers\DPInst.exe:*:Enabled:Instalační program balíčku s ovladačem"
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"="C:\Program Files\Microsoft Office\Office14\WINWORD.EXE:*:Enabled:Microsoft Word"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ7.2\ICQ.exe"="C:\Program Files\ICQ7.2\ICQ.exe:*:Enabled:ICQ7.2"
"C:\Program Files\ICQ7.2\aolload.exe"="C:\Program Files\ICQ7.2\aolload.exe:*:Enabled:aolload.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"vidc.I420"=msh263.drv
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.iv41"=ir41_32.ax
"vidc.iyuv"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvu9"=tsbyuv.dll
"vidc.yvyu"=msyuv.dll
"wavemapper"=msacm32.drv
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.iac2"=C:\WINDOWS\system32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.l3acm"=C:\WINDOWS\system32\l3codeca.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv

======List of files/folders created in the last 1 month======

2011-11-24 13:55:39 ----D---- C:\rsit
2011-11-24 13:55:39 ----D---- C:\Program Files\trend micro
2011-11-24 13:47:42 ----SHD---- C:\RECYCLER
2011-11-24 13:47:19 ----D---- C:\Program Files\CCleaner
2011-11-24 13:45:30 ----D---- C:\WINDOWS\temp
2011-11-24 13:45:28 ----A---- C:\ComboFix.txt
2011-11-24 13:40:16 ----A---- C:\Boot.bak
2011-11-24 13:40:12 ----RASHD---- C:\cmdcons
2011-11-24 13:39:14 ----A---- C:\WINDOWS\zip.exe
2011-11-24 13:39:14 ----A---- C:\WINDOWS\SWXCACLS.exe
2011-11-24 13:39:14 ----A---- C:\WINDOWS\SWSC.exe
2011-11-24 13:39:14 ----A---- C:\WINDOWS\SWREG.exe
2011-11-24 13:39:14 ----A---- C:\WINDOWS\sed.exe
2011-11-24 13:39:14 ----A---- C:\WINDOWS\PEV.exe
2011-11-24 13:39:14 ----A---- C:\WINDOWS\NIRCMD.exe
2011-11-24 13:39:14 ----A---- C:\WINDOWS\MBR.exe
2011-11-24 13:39:14 ----A---- C:\WINDOWS\grep.exe
2011-11-24 13:39:10 ----D---- C:\WINDOWS\ERDNT
2011-11-24 13:39:05 ----D---- C:\Qoobox
2011-11-23 14:17:35 ----D---- C:\Documents and Settings\All Users\Data aplikací\Sun
2011-11-23 14:03:26 ----A---- C:\WINDOWS\system32\drivers\vdmindvd.sys
2011-11-23 14:03:26 ----A---- C:\WINDOWS\system32\drivers\usbd.sys
2011-11-23 14:03:26 ----A---- C:\WINDOWS\system32\drivers\tsbvcap.sys
2011-11-23 14:03:26 ----A---- C:\WINDOWS\system32\drivers\tosdvd.sys
2011-11-23 14:03:25 ----A---- C:\WINDOWS\system32\drivers\riodrv.sys
2011-11-23 14:03:25 ----A---- C:\WINDOWS\system32\drivers\rio8drv.sys
2011-11-23 14:03:25 ----A---- C:\WINDOWS\system32\drivers\pciide.sys
2011-11-23 14:03:25 ----A---- C:\WINDOWS\system32\drivers\oprghdlr.sys
2011-11-23 14:03:24 ----A---- C:\WINDOWS\system32\drivers\nikedrv.sys
2011-11-23 14:03:24 ----A---- C:\WINDOWS\system32\drivers\mouhid.sys
2011-11-23 14:03:24 ----A---- C:\WINDOWS\system32\drivers\ftdisk.sys
2011-11-23 14:03:23 ----A---- C:\WINDOWS\system32\drivers\fsvga.sys
2011-11-23 14:03:23 ----A---- C:\WINDOWS\system32\drivers\cpqdap01.sys
2011-11-23 14:03:23 ----A---- C:\WINDOWS\system32\drivers\cinemst2.sys
2011-11-23 14:03:22 ----A---- C:\WINDOWS\system32\drivers\cdaudio.sys
2011-11-23 14:03:22 ----A---- C:\WINDOWS\system32\drivers\cbidf2k.sys
2011-11-23 14:03:22 ----A---- C:\WINDOWS\system32\drivers\audstub.sys
2011-11-23 14:03:22 ----A---- C:\WINDOWS\system32\drivers\acpiec.sys
2011-11-23 14:03:21 ----A---- C:\WINDOWS\system32\drivers\nic1394.sys
2011-11-23 14:03:21 ----A---- C:\WINDOWS\system32\drivers\ndisuio.sys
2011-11-23 14:03:21 ----A---- C:\WINDOWS\system32\drivers\modem.sys
2011-11-23 14:03:21 ----A---- C:\WINDOWS\system32\drivers\hidusb.sys
2011-11-23 14:03:20 ----A---- C:\WINDOWS\system32\drivers\acpi.sys
2011-11-23 14:03:19 ----A---- C:\WINDOWS\system32\drivers\usbcamd2.sys
2011-11-23 14:03:19 ----A---- C:\WINDOWS\system32\drivers\mspclock.sys
2011-11-23 14:03:18 ----A---- C:\WINDOWS\system32\drivers\usbehci.sys
2011-11-23 14:03:18 ----A---- C:\WINDOWS\system32\drivers\sonydcam.sys
2011-11-23 14:03:18 ----A---- C:\WINDOWS\system32\drivers\serial.sys
2011-11-23 14:03:18 ----A---- C:\WINDOWS\system32\drivers\hidparse.sys
2011-11-23 14:03:17 ----A---- C:\WINDOWS\system32\drivers\sfloppy.sys
2011-11-23 14:03:17 ----A---- C:\WINDOWS\system32\drivers\serenum.sys
2011-11-23 14:03:17 ----A---- C:\WINDOWS\system32\drivers\parport.sys
2011-11-23 14:03:17 ----A---- C:\WINDOWS\system32\drivers\mskssrv.sys
2011-11-23 14:03:16 ----A---- C:\WINDOWS\system32\drivers\wdmaud.sys
2011-11-23 14:03:16 ----A---- C:\WINDOWS\system32\drivers\usbuhci.sys
2011-11-23 14:03:16 ----A---- C:\WINDOWS\system32\drivers\pci.sys
2011-11-23 14:03:16 ----A---- C:\WINDOWS\system32\drivers\p3.sys
2011-11-23 14:03:16 ----A---- C:\WINDOWS\system32\drivers\dmusic.sys
2011-11-23 14:03:15 ----A---- C:\WINDOWS\system32\drivers\usbport.sys
2011-11-23 14:03:15 ----A---- C:\WINDOWS\system32\drivers\rdpdr.sys
2011-11-23 14:03:15 ----A---- C:\WINDOWS\system32\drivers\pcmcia.sys
2011-11-23 14:03:15 ----A---- C:\WINDOWS\system32\drivers\mouclass.sys
2011-11-23 14:03:14 ----A---- C:\WINDOWS\system32\drivers\usbhub.sys
2011-11-23 14:03:14 ----A---- C:\WINDOWS\system32\drivers\sffdisk.sys
2011-11-23 14:03:14 ----A---- C:\WINDOWS\system32\drivers\mssmbios.sys
2011-11-23 14:03:14 ----A---- C:\WINDOWS\system32\drivers\amdk6.sys
2011-11-23 14:03:14 ----A---- C:\WINDOWS\system32\drivers\aec.sys
2011-11-23 14:03:13 ----A---- C:\WINDOWS\system32\drivers\sffp_sd.sys
2011-11-23 14:03:13 ----A---- C:\WINDOWS\system32\drivers\isapnp.sys
2011-11-23 14:03:13 ----A---- C:\WINDOWS\system32\drivers\imapi.sys
2011-11-23 14:03:13 ----A---- C:\WINDOWS\system32\drivers\flpydisk.sys
2011-11-23 14:03:13 ----A---- C:\WINDOWS\system32\drivers\cdrom.sys
2011-11-23 14:03:12 ----A---- C:\WINDOWS\system32\drivers\termdd.sys
2011-11-23 14:03:12 ----A---- C:\WINDOWS\system32\drivers\swmidi.sys
2011-11-23 14:03:12 ----A---- C:\WINDOWS\system32\drivers\scsiport.sys
2011-11-23 14:03:12 ----A---- C:\WINDOWS\system32\drivers\processr.sys
2011-11-23 14:03:12 ----A---- C:\WINDOWS\system32\drivers\pciidex.sys
2011-11-23 14:03:12 ----A---- C:\WINDOWS\system32\drivers\kbdclass.sys
2011-11-23 14:03:12 ----A---- C:\WINDOWS\system32\drivers\http.sys
2011-11-23 14:03:11 ----A---- C:\WINDOWS\system32\drivers\kmixer.sys
2011-11-23 14:03:11 ----A---- C:\WINDOWS\system32\drivers\hidclass.sys
2011-11-23 14:03:11 ----A---- C:\WINDOWS\system32\drivers\disk.sys
2011-11-23 14:03:10 ----A---- C:\WINDOWS\system32\drivers\mspqm.sys
2011-11-23 14:03:10 ----A---- C:\WINDOWS\system32\drivers\mf.sys
2011-11-23 14:03:10 ----A---- C:\WINDOWS\system32\drivers\crusoe.sys
2011-11-23 14:03:09 ----A---- C:\WINDOWS\system32\drivers\intelppm.sys
2011-11-23 14:03:09 ----A---- C:\WINDOWS\system32\drivers\atapi.sys
2011-11-23 14:03:09 ----A---- C:\WINDOWS\system32\drivers\amdk7.sys
2011-11-23 14:03:08 ----A---- C:\WINDOWS\system32\drivers\drmkaud.sys
2011-11-23 14:03:08 ----A---- C:\WINDOWS\system32\drivers\arp1394.sys
2011-11-23 13:00:33 ----D---- C:\Program Files\AVAST Software
2011-11-23 13:00:33 ----D---- C:\Documents and Settings\All Users\Data aplikací\AVAST Software
2011-11-23 12:33:01 ----D---- C:\Poscom
2011-11-23 12:20:29 ----D---- C:\Documents and Settings\acer\Data aplikací\ESET
2011-11-23 12:19:32 ----D---- C:\Program Files\ESET
2011-11-23 12:19:32 ----D---- C:\Documents and Settings\All Users\Data aplikací\ESET
2011-11-23 12:08:58 ----D---- C:\Documents and Settings\acer\Data aplikací\Babylon
2011-11-23 12:08:58 ----D---- C:\Documents and Settings\All Users\Data aplikací\Babylon
2011-11-22 09:44:44 ----D---- C:\Program Files\COMODO
2011-11-22 09:44:15 ----D---- C:\Documents and Settings\All Users\Data aplikací\Comodo Downloader
2011-11-21 12:18:51 ----D---- C:\Poscom_IIout
2011-10-31 09:42:45 ----A---- C:\WINDOWS\system32\d3d9caps.dat

======List of files/folders modified in the last 1 month======

2011-11-24 14:14:01 ----D---- C:\WINDOWS\Prefetch
2011-11-24 14:13:46 ----D---- C:\Documents and Settings\All Users\Data aplikací\Microsoft
2011-11-24 14:08:54 ----D---- C:\WINDOWS\system32
2011-11-24 14:08:54 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2011-11-24 14:04:53 ----D---- C:\WINDOWS
2011-11-24 14:01:35 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-11-24 13:57:10 ----D---- C:\WINDOWS\system32\drivers
2011-11-24 13:55:39 ----D---- C:\Program Files
2011-11-24 13:55:08 ----SHD---- C:\WINDOWS\Installer
2011-11-24 13:55:06 ----DC---- C:\WINDOWS\system32\DRVSTORE
2011-11-24 13:55:06 ----D---- C:\WINDOWS\inf
2011-11-24 13:55:06 ----D---- C:\Config.Msi
2011-11-24 13:55:00 ----D---- C:\Documents and Settings\All Users\Data aplikací\HP
2011-11-24 13:54:19 ----D---- C:\Program Files\InstallShield Installation Information
2011-11-24 13:49:33 ----A---- C:\WINDOWS\Samsung SCX-3200 Series.txt
2011-11-24 13:49:11 ----D---- C:\Program Files\SamsungPrinterLiveUpdate
2011-11-24 13:47:43 ----D---- C:\WINDOWS\Debug
2011-11-24 13:44:18 ----A---- C:\WINDOWS\system.ini
2011-11-24 13:42:27 ----D---- C:\WINDOWS\AppPatch
2011-11-24 13:42:23 ----D---- C:\Program Files\Common Files
2011-11-24 13:40:56 ----D---- C:\WINDOWS\system32\CatRoot2
2011-11-24 13:40:16 ----RASH---- C:\boot.ini
2011-11-24 13:22:35 ----A---- C:\WINDOWS\WINCMD.INI
2011-11-24 13:12:36 ----SHD---- C:\System Volume Information
2011-11-24 13:12:36 ----D---- C:\WINDOWS\system32\Restore
2011-11-23 14:29:59 ----D---- C:\WINDOWS\WinSxS
2011-11-23 14:28:31 ----D---- C:\WINDOWS\system32\config
2011-11-23 14:21:36 ----D---- C:\Program Files\O2 Mobilni internet
2011-11-23 14:17:31 ----D---- C:\Program Files\HP
2011-11-23 14:13:13 ----A---- C:\WINDOWS\win.ini
2011-11-23 14:11:54 ----RSD---- C:\WINDOWS\assembly
2011-11-23 14:09:07 ----D---- C:\WINDOWS\system32\NtmsData
2011-11-23 14:08:15 ----D---- C:\WINDOWS\twain_32
2011-11-23 14:04:55 ----SD---- C:\WINDOWS\Tasks
2011-11-23 14:03:32 ----RSDC---- C:\WINDOWS\system32\dllcache
2011-11-23 12:49:12 ----D---- C:\A_Uzávěrka_MAX
2011-11-23 12:18:37 ----D---- C:\Instal
2011-11-23 11:20:30 ----D---- C:\Program Files\Mozilla Firefox
2011-11-21 12:22:55 ----D---- C:\Poscom_out
2011-11-15 09:08:52 ----D---- C:\Documents and Settings\acer\Data aplikací\ICQ
2011-11-01 12:25:45 ----D---- C:\Data_remis_2011
2011-11-01 12:24:00 ----D---- C:\Remis

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-09-11 108792]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-09-11 116008]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2009-09-11 135048]
R3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2009-01-21 6278560]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller; C:\WINDOWS\system32\DRIVERS\l1c51x86.sys [2009-03-31 39424]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2009-09-11 55768]
S2 DgiVecp;DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys []
S2 SSPORT;SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\acer\LOCALS~1\Temp\catchme.sys []
S3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2009-06-19 33096]
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys []
S3 HPFXBULK;HPFXBULK; C:\WINDOWS\system32\drivers\hpfxbulk.sys []
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys []
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys []
S3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys []
S3 mvusbews;USB EWS Device; C:\WINDOWS\System32\Drivers\mvusbews.sys [2009-10-26 17408]
S3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys []
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys []
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-09-11 735960]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 149352]
S3 osppsvc;Office Software Protection Platform; C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 SQLAgent$SPZSQL2011;SQLAgent$SPZSQL2011; C:\Program Files\Microsoft SQL Server\MSSQL$SPZSQL2011\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

#2 Příspěvek od **vyosek** » 24 lis 2011 16:35

Zdravim a pekny podvecer preji

vy umite pouzivat ComboFix - aplikovat jej, precist log a docistit jej pomoci skriptu

vizte nebezpeci nize

Nebezpeci CFka

Je urcen primarne pro radce - jeho svevolnym pouzitim ztracite narok na podporu
Maze stopy po haveti, takze v logu z RSIT neni nic videt
Jeho log je treba dolustit, jelikoz neumi smazat vse - to ovsem tezko zvladnete pokud k tomu nejste vyskolen
CF muze mit bug = sunda Vam system, pokud nevite kam co uklada, jak co obnovit, mate system v kytkam a ceka Vas reinstal
CF taky bohuzel prozatim nekontroluje nektere dulezite knihovny (napr. hal.dll) - ty treba mazou nektere typy haveti (napr. angela) - smaze Vam po restartu hal.dll = nenajede Vam system a jste o radek vyse = reinstal

Dejte mi sem prosim jeho log, je umisten v c:\combofix.txt

Acer · #3 Příspěvek od **Acer** » 24 lis 2011 16:48

Vám taky pěkný večer, bohužel jsem jednal rychleji než jsem se dostal zde na fórum. Prvně mi byl doporučen ComboFix který detekoval Rootkit a následoval restart PC a poté nástroj OTC který smazal stopy. K prvotnímu logu se tedy nedostanu. Na tohle fórum jsem narazil až po dalším doporučení.

Omlouvám se Vám a pokud omluvu příjmete, příště již budu chytřejší a zavítám hned zde.

Tak tedy od začátku:
----------------------------------------------------------------------------------------------
ComboFix 11-11-23.03 - acer 24.11.2011 16:39:47.3.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2037.1498 [GMT 1:00]
Spuštěný z: c:\documents and settings\acer\Plocha\ComboFix.exe
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-10-24 do 2011-11-24 )))))))))))))))))))))))))))))))
.
.
2011-11-23 12:00 . 2011-11-24 11:08 -------- d-----w- c:\documents and settings\All Users\Data aplikací\AVAST Software
2011-11-23 12:00 . 2011-11-23 12:00 -------- d-----w- c:\program files\AVAST Software
2011-11-23 11:33 . 2011-11-23 11:33 -------- d-----w- C:\Poscom
2011-11-23 11:20 . 2011-11-23 11:20 -------- d-----w- c:\documents and settings\acer\Data aplikací\ESET
2011-11-23 11:19 . 2011-11-23 11:19 -------- d-----w- c:\program files\ESET
2011-11-23 11:19 . 2011-11-23 11:19 -------- d-----w- c:\documents and settings\All Users\Data aplikací\ESET
2011-11-23 11:08 . 2011-11-23 11:08 -------- d-----w- c:\documents and settings\acer\Local Settings\Data aplikací\Babylon
2011-11-23 11:08 . 2011-11-23 11:08 -------- d-----w- c:\documents and settings\acer\Data aplikací\Babylon
2011-11-23 11:08 . 2011-11-23 11:08 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Babylon
2011-11-22 08:44 . 2011-11-22 08:44 -------- d-----w- c:\program files\COMODO
2011-11-22 08:44 . 2011-11-22 08:44 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Comodo Downloader
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 11:24 . 2009-12-17 12:50 17488 ----a-w- c:\windows\gdrv.sys
2011-10-07 17:47 . 2011-10-07 17:47 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-10-07 17:47 . 2011-10-07 17:47 300200 ----a-w- c:\windows\system32\guard32.dll
2011-09-14 09:34 . 2011-05-16 06:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-30 12:37 . 2011-09-05 07:07 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-08-08 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\hp_CLJ_CM1015-CM1017_Full_Solution\\setup\\HPZnet01.exe"=
"c:\\hp_CLJ_CM1015-CM1017_Full_Solution\\setup\\hppniprint01.exe"=
"c:\\hp_CLJ_CM1015-CM1017_Full_Solution\\setup\\hppniprint64.exe"=
"c:\\hp_CLJ_CM1015-CM1017_Full_Solution\\setup\\hppnicifs01.exe"=
"c:\\hp_CLJ_CM1015-CM1017_Full_Solution\\setup\\hpntwkexe.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\CLVIEW.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"=
"c:\\Program Files\\HP\\HP UT LEDM\\bin\\hppusg.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11.9.2009 7:23 108792]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [17.12.2009 11:37 39424]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11.9.2009 7:24 735960]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [10.11.2010 13:49 17408]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9.1.2010 21:37 4640000]
S3 SQLAgent$SPZSQL2011;SQLAgent$SPZSQL2011;c:\program files\Microsoft SQL Server\MSSQL$SPZSQL2011\Binn\sqlagent.EXE -i SPZSQL2011 --> c:\program files\Microsoft SQL Server\MSSQL$SPZSQL2011\Binn\sqlagent.EXE -i SPZSQL2011 [?]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://downloads.phpnuke.org/en/index.php?rvs=google
mStart Page = hxxp://downloads.phpnuke.org/en/index.php?rvs=google
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Od&eslat do aplikace OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} - hxxps://www.mojedatovaschranka.cz/static/pages/ ... ?3,16,13,0
FF - ProfilePath - c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.9&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.3.6&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-24 16:42
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(1804)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Celkový čas: 2011-11-24 16:43:58
ComboFix-quarantined-files.txt 2011-11-24 15:43
.
Před spuštěním: Volných bajtů: 232 388 108 288
Po spuštění: Volných bajtů: 232 346 808 320
.
- - End Of File - - CC0DDA2A2B9C2C438DF8D344881DDD0C

#4 Příspěvek od **vyosek** » 24 lis 2011 16:52

No tak to jste byl tedy sakra rychlej

CF+OTC a mame po stopach

Jaky rootkit byl detekovan si nevzpomenete, ze

Stahnete si TDSSKiller http://support.kaspersky.com/downloads/ ... killer.exe

Utilitu spustte a prikazte ji, at skenuje - klik na Start Scan
Pokud utilita najde infikekci, bude ji chtit lecit (Cure), povolte leceni kliknutim na Continue
Pokud utilita najde podezrely soubor (suspicious), bude jej chtit preskocit (Skip), povolte preskoceni kliknutim na Continue
Po dokonceni skenu bude mozna nutny restart PC, povolte jej kliknutim na Reboot now
Po restartu na Vas vyskoci log, pokud se tak nestane, najdete jej primo na disku, kde mate Windows (obvykle c:\) ve tvaru TDSSKiller.nejaka cisilka _log.txt - jeho obsah sem vlozte
Pokud restart nebude vyzadovan, kliknete na Close a nasledne na Report - vytvori se log - jeho obsah sem vlozte

Acer · #5 Příspěvek od **Acer** » 24 lis 2011 16:57

Jejej

Mno Utilitka nenašla nic.
--------------------------------
16:53:23.0656 1716 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
16:53:23.0687 1716 ============================================================
16:53:23.0687 1716 Current date / time: 2011/11/24 16:53:23.0687
16:53:23.0687 1716 SystemInfo:
16:53:23.0687 1716
16:53:23.0687 1716 OS Version: 5.1.2600 ServicePack: 3.0
16:53:23.0687 1716 Product type: Workstation
16:53:23.0687 1716 ComputerName: ACER-PC
16:53:23.0687 1716 UserName: acer
16:53:23.0687 1716 Windows directory: C:\WINDOWS
16:53:23.0687 1716 System windows directory: C:\WINDOWS
16:53:23.0687 1716 Processor architecture: Intel x86
16:53:23.0687 1716 Number of processors: 2
16:53:23.0687 1716 Page size: 0x1000
16:53:23.0687 1716 Boot type: Normal boot
16:53:23.0687 1716 ============================================================
16:53:24.0625 1716 Initialize success
16:53:26.0812 1208 ============================================================
16:53:26.0812 1208 Scan started
16:53:26.0812 1208 Mode: Manual;
16:53:26.0812 1208 ============================================================
16:53:27.0843 1208 Abiosdsk - ok
16:53:27.0843 1208 abp480n5 - ok
16:53:27.0906 1208 ACPI (4fe34f1f3126b61fcc6b2043aa8112c9) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:53:27.0906 1208 ACPI - ok
16:53:27.0953 1208 ACPIEC (afdff022a01f0b11c776f0860c3b282f) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:53:27.0953 1208 ACPIEC - ok
16:53:27.0968 1208 adpu160m - ok
16:53:28.0000 1208 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:53:28.0015 1208 aec - ok
16:53:28.0031 1208 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
16:53:28.0031 1208 AFD - ok
16:53:28.0031 1208 Aha154x - ok
16:53:28.0046 1208 aic78u2 - ok
16:53:28.0062 1208 aic78xx - ok
16:53:28.0078 1208 AliIde - ok
16:53:28.0093 1208 amsint - ok
16:53:28.0093 1208 asc - ok
16:53:28.0109 1208 asc3350p - ok
16:53:28.0125 1208 asc3550 - ok
16:53:28.0156 1208 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:53:28.0156 1208 AsyncMac - ok
16:53:28.0203 1208 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:53:28.0203 1208 atapi - ok
16:53:28.0218 1208 Atdisk - ok
16:53:28.0234 1208 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:53:28.0234 1208 Atmarpc - ok
16:53:28.0281 1208 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:53:28.0281 1208 audstub - ok
16:53:28.0296 1208 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:53:28.0296 1208 Beep - ok
16:53:28.0421 1208 catchme - ok
16:53:28.0453 1208 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:53:28.0453 1208 cbidf2k - ok
16:53:28.0468 1208 cd20xrnt - ok
16:53:28.0484 1208 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:53:28.0484 1208 Cdaudio - ok
16:53:28.0500 1208 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:53:28.0500 1208 Cdfs - ok
16:53:28.0531 1208 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:53:28.0531 1208 Cdrom - ok
16:53:28.0546 1208 Changer - ok
16:53:28.0562 1208 CmdIde - ok
16:53:28.0578 1208 Cpqarray - ok
16:53:28.0593 1208 dac2w2k - ok
16:53:28.0609 1208 dac960nt - ok
16:53:28.0625 1208 DgiVecp - ok
16:53:28.0640 1208 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:53:28.0640 1208 Disk - ok
16:53:28.0687 1208 dmboot (db5fd2bf5b07dc54bfcb3664ff05bd7c) C:\WINDOWS\system32\drivers\dmboot.sys
16:53:28.0687 1208 dmboot - ok
16:53:28.0703 1208 dmio (fff1720af51171f32f1ead5cf71f2810) C:\WINDOWS\system32\drivers\dmio.sys
16:53:28.0703 1208 dmio - ok
16:53:28.0718 1208 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:53:28.0718 1208 dmload - ok
16:53:28.0781 1208 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:53:28.0781 1208 DMusic - ok
16:53:28.0781 1208 dpti2o - ok
16:53:28.0828 1208 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:53:28.0828 1208 drmkaud - ok
16:53:28.0843 1208 eamon (30372bcc67d63bee538cdfeca755d81c) C:\WINDOWS\system32\DRIVERS\eamon.sys
16:53:28.0843 1208 eamon - ok
16:53:28.0890 1208 ehdrv (6504d6afb75fef830dd99e8c4235d54d) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
16:53:28.0890 1208 ehdrv - ok
16:53:28.0906 1208 epfw (86895d4413316becc2d7944d2749586c) C:\WINDOWS\system32\DRIVERS\epfw.sys
16:53:28.0906 1208 epfw - ok
16:53:28.0937 1208 Epfwndis (3b47010b2425b69826004767e59045ba) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
16:53:28.0937 1208 Epfwndis - ok
16:53:28.0953 1208 epfwtdi (6d69809e98df95980060d4699eb6d633) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
16:53:28.0953 1208 epfwtdi - ok
16:53:29.0000 1208 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:53:29.0000 1208 Fastfat - ok
16:53:29.0046 1208 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:53:29.0046 1208 Fdc - ok
16:53:29.0046 1208 Fips (ac366695a0796560aa37215ad5762aaf) C:\WINDOWS\system32\drivers\Fips.sys
16:53:29.0062 1208 Fips - ok
16:53:29.0109 1208 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:53:29.0109 1208 Flpydisk - ok
16:53:29.0125 1208 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
16:53:29.0125 1208 FltMgr - ok
16:53:29.0140 1208 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:53:29.0140 1208 Fs_Rec - ok
16:53:29.0187 1208 Ftdisk (4e664d8541db4a66b73a24257e322e1f) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:53:29.0203 1208 Ftdisk - ok
16:53:29.0218 1208 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\WINDOWS\gdrv.sys
16:53:29.0218 1208 gdrv - ok
16:53:29.0250 1208 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:53:29.0250 1208 Gpc - ok
16:53:29.0250 1208 HDAudBus - ok
16:53:29.0312 1208 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:53:29.0312 1208 hidusb - ok
16:53:29.0328 1208 HPFXBULK - ok
16:53:29.0328 1208 hpn - ok
16:53:29.0390 1208 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
16:53:29.0390 1208 HTTP - ok
16:53:29.0406 1208 hwdatacard - ok
16:53:29.0421 1208 i2omgmt - ok
16:53:29.0421 1208 i2omp - ok
16:53:29.0437 1208 i8042prt (c528e27945367191e7bae364930b6932) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:53:29.0437 1208 i8042prt - ok
16:53:29.0875 1208 ialm (3b743262b6456167888d15f1121b3bf7) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
16:53:29.0921 1208 ialm - ok
16:53:30.0015 1208 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:53:30.0031 1208 Imapi - ok
16:53:30.0031 1208 ini910u - ok
16:53:30.0046 1208 IntcAzAudAddService - ok
16:53:30.0062 1208 IntelIde - ok
16:53:30.0109 1208 intelppm (27b290d632af2cf3cf40bfddb7370985) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:53:30.0109 1208 intelppm - ok
16:53:30.0140 1208 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
16:53:30.0140 1208 Ip6Fw - ok
16:53:30.0171 1208 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:53:30.0171 1208 IpFilterDriver - ok
16:53:30.0187 1208 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:53:30.0187 1208 IpInIp - ok
16:53:30.0218 1208 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:53:30.0218 1208 IpNat - ok
16:53:30.0218 1208 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:53:30.0218 1208 IRENUM - ok
16:53:30.0265 1208 isapnp (cc9f8a2d60aed1a51a3ac34c59b987ae) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:53:30.0265 1208 isapnp - ok
16:53:30.0312 1208 Kbdclass (1b6162fe7f66b1a71a4b70f941c4aa9b) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:53:30.0312 1208 Kbdclass - ok
16:53:30.0359 1208 kbdhid (86c8f23616c6c6e5b2776901c17b945b) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
16:53:30.0359 1208 kbdhid - ok
16:53:30.0421 1208 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:53:30.0421 1208 kmixer - ok
16:53:30.0437 1208 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
16:53:30.0437 1208 KSecDD - ok
16:53:30.0484 1208 L1c (140f9b777fa84e2f5eeea5cadc112e53) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
16:53:30.0484 1208 L1c - ok
16:53:30.0484 1208 L8042Kbd - ok
16:53:30.0500 1208 lbrtfdc - ok
16:53:30.0531 1208 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:53:30.0531 1208 mnmdd - ok
16:53:30.0546 1208 Modem (44032b0c6d9954d3fd26438330b99ee7) C:\WINDOWS\system32\drivers\Modem.sys
16:53:30.0546 1208 Modem - ok
16:53:30.0562 1208 Mouclass (4cb582831dbde63ce43b45d771218374) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:53:30.0562 1208 Mouclass - ok
16:53:30.0593 1208 mouhid (bb269eba740737ab749b214d568b6812) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:53:30.0593 1208 mouhid - ok
16:53:30.0609 1208 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:53:30.0609 1208 MountMgr - ok
16:53:30.0625 1208 mraid35x - ok
16:53:30.0640 1208 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:53:30.0640 1208 MRxDAV - ok
16:53:30.0687 1208 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:53:30.0703 1208 MRxSmb - ok
16:53:30.0703 1208 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:53:30.0703 1208 Msfs - ok
16:53:30.0734 1208 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:53:30.0750 1208 MSKSSRV - ok
16:53:30.0781 1208 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:53:30.0781 1208 MSPCLOCK - ok
16:53:30.0796 1208 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:53:30.0796 1208 MSPQM - ok
16:53:30.0843 1208 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:53:30.0843 1208 mssmbios - ok
16:53:30.0875 1208 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
16:53:30.0890 1208 Mup - ok
16:53:30.0921 1208 mvusbews (1889385f1825c0782c5c179a0518d490) C:\WINDOWS\system32\Drivers\mvusbews.sys
16:53:30.0921 1208 mvusbews - ok
16:53:30.0953 1208 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:53:30.0953 1208 NDIS - ok
16:53:30.0968 1208 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:53:30.0968 1208 NdisTapi - ok
16:53:31.0015 1208 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:53:31.0031 1208 Ndisuio - ok
16:53:31.0031 1208 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:53:31.0031 1208 NdisWan - ok
16:53:31.0046 1208 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
16:53:31.0046 1208 NDProxy - ok
16:53:31.0062 1208 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:53:31.0062 1208 NetBIOS - ok
16:53:31.0078 1208 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:53:31.0078 1208 NetBT - ok
16:53:31.0125 1208 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:53:31.0125 1208 Npfs - ok
16:53:31.0156 1208 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:53:31.0156 1208 Ntfs - ok
16:53:31.0171 1208 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:53:31.0171 1208 Null - ok
16:53:31.0203 1208 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:53:31.0203 1208 NwlnkFlt - ok
16:53:31.0218 1208 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:53:31.0218 1208 NwlnkFwd - ok
16:53:31.0265 1208 Parport (46f8db73b4a53e543f8e371dc7c75bae) C:\WINDOWS\system32\DRIVERS\parport.sys
16:53:31.0265 1208 Parport - ok
16:53:31.0265 1208 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:53:31.0281 1208 PartMgr - ok
16:53:31.0281 1208 ParVdm (1fae19d0457176318bba4a8795656ebc) C:\WINDOWS\system32\drivers\ParVdm.sys
16:53:31.0296 1208 ParVdm - ok
16:53:31.0312 1208 PCI (6ce351d149cb4befc702951e471e1730) C:\WINDOWS\system32\DRIVERS\pci.sys
16:53:31.0312 1208 PCI - ok
16:53:31.0328 1208 PCIDump - ok
16:53:31.0343 1208 PCIIde (2da4ec85e0ea7a45c6b2a05820492d5a) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:53:31.0343 1208 PCIIde - ok
16:53:31.0375 1208 Pcmcia (4fc31e6c19a5ce5198b1abff94cae758) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:53:31.0375 1208 Pcmcia - ok
16:53:31.0390 1208 PDCOMP - ok
16:53:31.0390 1208 PDFRAME - ok
16:53:31.0406 1208 PDRELI - ok
16:53:31.0421 1208 PDRFRAME - ok
16:53:31.0421 1208 perc2 - ok
16:53:31.0437 1208 perc2hib - ok
16:53:31.0453 1208 Point32 - ok
16:53:31.0500 1208 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:53:31.0500 1208 PptpMiniport - ok
16:53:31.0515 1208 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:53:31.0515 1208 PSched - ok
16:53:31.0515 1208 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:53:31.0515 1208 Ptilink - ok
16:53:31.0531 1208 ql1080 - ok
16:53:31.0546 1208 Ql10wnt - ok
16:53:31.0562 1208 ql12160 - ok
16:53:31.0562 1208 ql1240 - ok
16:53:31.0578 1208 ql1280 - ok
16:53:31.0609 1208 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:53:31.0609 1208 RasAcd - ok
16:53:31.0625 1208 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:53:31.0625 1208 Rasl2tp - ok
16:53:31.0640 1208 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:53:31.0640 1208 RasPppoe - ok
16:53:31.0656 1208 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:53:31.0656 1208 Raspti - ok
16:53:31.0671 1208 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:53:31.0671 1208 Rdbss - ok
16:53:31.0687 1208 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:53:31.0687 1208 RDPCDD - ok
16:53:31.0718 1208 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:53:31.0718 1208 rdpdr - ok
16:53:31.0765 1208 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
16:53:31.0765 1208 RDPWD - ok
16:53:31.0812 1208 redbook (611bfd220305be3a85ae876ea47d4aa5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:53:31.0812 1208 redbook - ok
16:53:31.0843 1208 Secdrv - ok
16:53:31.0890 1208 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:53:31.0890 1208 serenum - ok
16:53:31.0937 1208 Serial (b842729337c9b921615c40d3c1a1af96) C:\WINDOWS\system32\DRIVERS\serial.sys
16:53:31.0937 1208 Serial - ok
16:53:31.0953 1208 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:53:31.0953 1208 Sfloppy - ok
16:53:31.0968 1208 Simbad - ok
16:53:31.0968 1208 Sparrow - ok
16:53:32.0015 1208 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:53:32.0015 1208 splitter - ok
16:53:32.0046 1208 Sr (94610c8653635e4459316a0050d55ce7) C:\WINDOWS\system32\DRIVERS\sr.sys
16:53:32.0046 1208 Sr - ok
16:53:32.0062 1208 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
16:53:32.0078 1208 Srv - ok
16:53:32.0078 1208 SSPORT - ok
16:53:32.0140 1208 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:53:32.0140 1208 swenum - ok
16:53:32.0171 1208 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:53:32.0171 1208 swmidi - ok
16:53:32.0187 1208 symc810 - ok
16:53:32.0203 1208 symc8xx - ok
16:53:32.0203 1208 sym_hi - ok
16:53:32.0218 1208 sym_u3 - ok
16:53:32.0250 1208 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:53:32.0250 1208 sysaudio - ok
16:53:32.0281 1208 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:53:32.0296 1208 Tcpip - ok
16:53:32.0328 1208 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:53:32.0328 1208 TDPIPE - ok
16:53:32.0359 1208 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:53:32.0359 1208 TDTCP - ok
16:53:32.0406 1208 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:53:32.0406 1208 TermDD - ok
16:53:32.0421 1208 TosIde - ok
16:53:32.0453 1208 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:53:32.0453 1208 Udfs - ok
16:53:32.0468 1208 ultra - ok
16:53:32.0484 1208 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:53:32.0484 1208 Update - ok
16:53:32.0515 1208 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:53:32.0515 1208 usbccgp - ok
16:53:32.0562 1208 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:53:32.0562 1208 usbehci - ok
16:53:32.0609 1208 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:53:32.0609 1208 usbhub - ok
16:53:32.0625 1208 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:53:32.0640 1208 usbprint - ok
16:53:32.0640 1208 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:53:32.0640 1208 usbscan - ok
16:53:32.0671 1208 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:53:32.0671 1208 USBSTOR - ok
16:53:32.0718 1208 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:53:32.0718 1208 usbuhci - ok
16:53:32.0734 1208 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:53:32.0734 1208 VgaSave - ok
16:53:32.0734 1208 ViaIde - ok
16:53:32.0765 1208 VolSnap (28a4b296b47782173c346e376cb374d1) C:\WINDOWS\system32\drivers\VolSnap.sys
16:53:32.0765 1208 VolSnap - ok
16:53:32.0781 1208 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:53:32.0781 1208 Wanarp - ok
16:53:32.0796 1208 Wdf01000 - ok
16:53:32.0812 1208 WDICA - ok
16:53:32.0828 1208 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:53:32.0828 1208 wdmaud - ok
16:53:32.0859 1208 WudfPf - ok
16:53:32.0875 1208 WudfRd - ok
16:53:32.0906 1208 MBR (0x1B8) (413fc2a0c716421b3158746d63736515) \Device\Harddisk0\DR0
16:53:33.0031 1208 \Device\Harddisk0\DR0 - ok
16:53:33.0031 1208 Boot (0x1200) (d8114f58d09830d8f5053bd45d67786c) \Device\Harddisk0\DR0\Partition0
16:53:33.0031 1208 \Device\Harddisk0\DR0\Partition0 - ok
16:53:33.0031 1208 ============================================================
16:53:33.0031 1208 Scan finished
16:53:33.0031 1208 ============================================================
16:53:33.0031 1152 Detected object count: 0
16:53:33.0031 1152 Actual detected object count: 0

#6 Příspěvek od **vyosek** » 24 lis 2011 17:02

Pokud nemate, tak presunte Combofix na plochu

Spustte poznamkovy blok (Start-spustit-notepad)
Zkopirujte skript nize

Kód: Vybrat vše

KillAll::

File::
C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-1.xml
C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-2.xml
C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-3.xml
C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-4.xml
C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-5.xml
C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-6.xml
C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-7.xml
C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin.xml
C:\Documents and Settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\Phpnuke.xml

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
"QuickTime Task"=-

DDS::
mStart Page = hxxp://downloads.phpnuke.org/en/index.php?rvs=googleuStart Page = hxxp://downloads.phpnuke.org/en/index.php?rvs=google
mStart Page = hxxp://downloads.phpnuke.org/en/index.php?rvs=google

Firefox::
FF - ProfilePath - c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.icq.com/search/afe_result ... r=1.2.9&q=
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... r=1.3.6&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

Replicator::

ClearJavaCache::

AtJob::

Reboot::

Ulozte vytvoreny TXT jako CFScript.txt
Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

Acer · #7 Příspěvek od **Acer** » 24 lis 2011 17:21

Tak situace pořád stejná.
Po přihlášení do Windows trvá asi dvě minuty než zmizí login ikonka a než najede plocha.
Prvně bublina v rohu ohlásí nepřítomnost Antiviru (V pořádku) ale po dvou minutách se vypne i firewall.
Další bublina v rohu ohlásí nalezen nový hardware URTC 1000, k PC není připojeno žádné zařízení.
Internet stále mrtev.

Log:
ComboFix 11-11-23.03 - acer 24.11.2011 17:10:00.5.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2037.1505 [GMT 1:00]
Spuštěný z: c:\documents and settings\acer\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\acer\Plocha\CFScript.txt
.
FILE ::
"c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-1.xml"
"c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-2.xml"
"c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-3.xml"
"c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-4.xml"
"c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-5.xml"
"c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-6.xml"
"c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin-7.xml"
"c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\icqplugin.xml"
"c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\searchplugins\Phpnuke.xml"
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-10-24 do 2011-11-24 )))))))))))))))))))))))))))))))
.
.
2011-11-24 15:22 . 2011-11-24 15:22 -------- d-----w- c:\documents and settings\acer\Data aplikací\Malwarebytes
2011-11-24 15:21 . 2011-11-24 15:21 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2011-11-24 15:21 . 2010-11-29 16:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-24 15:21 . 2011-11-24 15:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-24 15:21 . 2010-11-29 16:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 12:47 . 2011-11-24 12:47 -------- d-----w- c:\program files\CCleaner
2011-11-23 12:00 . 2011-11-24 11:08 -------- d-----w- c:\documents and settings\All Users\Data aplikací\AVAST Software
2011-11-23 12:00 . 2011-11-23 12:00 -------- d-----w- c:\program files\AVAST Software
2011-11-23 11:33 . 2011-11-23 11:33 -------- d-----w- C:\Poscom
2011-11-23 11:20 . 2011-11-23 11:20 -------- d-----w- c:\documents and settings\acer\Data aplikací\ESET
2011-11-23 11:19 . 2011-11-23 11:19 -------- d-----w- c:\program files\ESET
2011-11-23 11:19 . 2011-11-23 11:19 -------- d-----w- c:\documents and settings\All Users\Data aplikací\ESET
2011-11-23 11:08 . 2011-11-23 11:08 -------- d-----w- c:\documents and settings\acer\Local Settings\Data aplikací\Babylon
2011-11-23 11:08 . 2011-11-23 11:08 -------- d-----w- c:\documents and settings\acer\Data aplikací\Babylon
2011-11-23 11:08 . 2011-11-23 11:08 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Babylon
2011-11-22 08:44 . 2011-11-22 08:44 -------- d-----w- c:\program files\COMODO
2011-11-22 08:44 . 2011-11-22 08:44 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Comodo Downloader
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 11:24 . 2009-12-17 12:50 17488 ----a-w- c:\windows\gdrv.sys
2011-10-07 17:47 . 2011-10-07 17:47 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-10-07 17:47 . 2011-10-07 17:47 300200 ----a-w- c:\windows\system32\guard32.dll
2011-09-14 09:34 . 2011-05-16 06:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-30 12:37 . 2011-09-05 07:07 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-08-08 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\hp_CLJ_CM1015-CM1017_Full_Solution\\setup\\HPZnet01.exe"=
"c:\\hp_CLJ_CM1015-CM1017_Full_Solution\\setup\\hppniprint01.exe"=
"c:\\hp_CLJ_CM1015-CM1017_Full_Solution\\setup\\hppniprint64.exe"=
"c:\\hp_CLJ_CM1015-CM1017_Full_Solution\\setup\\hppnicifs01.exe"=
"c:\\hp_CLJ_CM1015-CM1017_Full_Solution\\setup\\hpntwkexe.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\CLVIEW.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"=
"c:\\Program Files\\HP\\HP UT LEDM\\bin\\hppusg.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11.9.2009 7:23 108792]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [17.12.2009 11:37 39424]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11.9.2009 7:24 735960]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [10.11.2010 13:49 17408]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9.1.2010 21:37 4640000]
S3 SQLAgent$SPZSQL2011;SQLAgent$SPZSQL2011;c:\program files\Microsoft SQL Server\MSSQL$SPZSQL2011\Binn\sqlagent.EXE -i SPZSQL2011 --> c:\program files\Microsoft SQL Server\MSSQL$SPZSQL2011\Binn\sqlagent.EXE -i SPZSQL2011 [?]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://downloads.phpnuke.org/en/index.php?rvs=google
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Od&eslat do aplikace OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} - hxxps://www.mojedatovaschranka.cz/static/pages/ ... ?3,16,13,0
FF - ProfilePath - c:\documents and settings\acer\Data aplikací\Mozilla\Firefox\Profiles\7mx24ojz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.seznam.cz
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-24 17:15
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(1532)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Celkový čas: 2011-11-24 17:17:19 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-11-24 16:17
ComboFix2.txt 2011-11-24 15:43
.
Před spuštěním: Volných bajtů: 232 348 143 616
Po spuštění: Volných bajtů: 232 338 456 576
.
- - End Of File - - 04BACCD26EBD5A32477C9DF36905309F

#8 Příspěvek od **vyosek** » 24 lis 2011 18:38

Nemate na plose nejake velke soubory\slozky?

Na plose by mely byt jen zastupci

Acer · #9 Příspěvek od **Acer** » 24 lis 2011 18:48

Pár dokumentů.. Nic velkého

#10 Příspěvek od **vyosek** » 24 lis 2011 18:52

v nouzovem rezimu (restart PC, mackat F8, zvolit Stav nouze s praci v siti) projedte PC temito utilitami, at se zbavime zbytku antiviru co tam mate

Nainstalujte zabezpeceni PC

Stahnete SPTD http://www.duplexsecure.com/en/downloads

Vyberte z uvedene stranky verzi dle sveho operacniho systemu (32(x86)bit ci 64(x64)bit)
Ulozte na plochu a spustte
Zvolte moznost Uninstall a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete Defogger http://www.jpshortstuff.247fixes.com/Defogger.exe

Ulozte na plochu a spustte
Kliknete na Disable a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete MBR na plochu http://www2.gmer.net/mbr/mbr.exe ale nespoustejte

Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R

Vyskoci na Vas okenko, do ktereho zkopirujte text nize
Kód: Vybrat vše
```
"%userprofile%\plocha\mbr" -t -s
```
Kliknete na OK
Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte

Dejte logy z Gmeru - viz muj podpis

Acer · #11 Příspěvek od **Acer** » 24 lis 2011 18:59

Po stisku F8 nemůžu šipkami vybírat mezi stav nouze nebo stav nouze s práci v síti atd.. klávesnice po stisku F8 už pak nereaguje na nic. A to jsem klávesu nemačkal zběsile že by se to mělo kousnout.

Odpočet normálně běží a pak se spustí win.

#12 Příspěvek od **vyosek** » 24 lis 2011 19:03

Predpokladam za klavesnici mate zapojenou do USB, to bude prave tim...

Zkuste ty utility aplikovat v normalnim rezimu

Acer · #13 Příspěvek od **Acer** » 24 lis 2011 22:32

Ve správce zařízení je vyřazeno vše co má něco společného s netem. DHCP,TCP/IP ovladače a štít Avastu.
Avast hlásí stále vypnutí všech štítů, nejdou zapnout. Firewall také nejde zapnout.
Ještě dodám že po každém vytáhnutí flashky z infikovaného PC naskočí bublina, zápis se spožděním se nezdařil a v tomhle noťasu pak avast najde na flashce třeba soubor 858550rar.exe který označí jako infikovaný a smaže ho.

Druhý log Gmeru se zastavil, důvod nevím.. dávám co mám tedy.
-----------------------------------------------------------------------------------------------------------------------
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500AAJB-00J3A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 nt!IofCallDriver[0x804E1397] -> \Device\Harddisk0\DR0[0x8A550AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E1397] -> \Device\00000064[0x8A58F0A0]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E1397] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8A5D2588]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user & kernel MBR OK

------------- GMER ------------ LOG 1---------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-24 21:37:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500AAJB-00J3A0 rev.01.03E01
Running: gmer.exe; Driver: C:\DOCUME~1\acer\LOCALS~1\Temp\uwriqpog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA91F3D5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA91F3BC5]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA924B9A6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

---- EOF - GMER 1.0.15 ----

---------------GMER LOG 2 --------------------------------------------------------------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-24 22:20:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500AAJB-00J3A0 rev.01.03E01
Running: gmer.exe; Driver: C:\DOCUME~1\acer\LOCALS~1\Temp\uwriqpog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA91CF374]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA92362B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA91F3829]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA91D1996]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA91D19EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA91D1B04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA91F31DD]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA91D18EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA91D1A3E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA91D1940]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA91D1AB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA91CF398]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA91F3EEF]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA91F41A5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA91D1D88]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA91F3D5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA91F3BC5]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA9236368]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA91CF162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA91CF3BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA91D1EFC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA91CFE54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA91D19C6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA91D1A16]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA91D1B2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA91F3539]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA91D1918]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA91D1BC0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA91D1A7E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA91D196E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA91D1CA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA91D1ADC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA9236400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA91F3A40]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA91CFD1A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA91F3892]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA923E6E2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA91F2850]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA91CF3E0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA91CF404]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA91CF1BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA91CF2F8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA91F3FF6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA91CF2D4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA91CF31C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA91CF428]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA924B9A6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A648C 4 Bytes CALL A91D04AF \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC512 5 Bytes JMP A92473DE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2F96 5 Bytes JMP A9248E84 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1136 7 Bytes JMP A924B9AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text win32k.sys!EngFreeUserMem + 674 BF809FDF 5 Bytes JMP A91D2E48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF8138FE 5 Bytes JMP A91D2D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 320C BF81E743 5 Bytes JMP A91D2016 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetLastError + 7657 BF82868B 5 Bytes JMP A91D20DA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 698 BF838560 5 Bytes JMP A91D2FB2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + BB6 BF838A7E 5 Bytes JMP A91D2CC4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 3605 BF83B4CD 5 Bytes JMP A91D31BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + D9AB BF845873 5 Bytes JMP A91D214A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMultiByteToWideChar + 2F20 BF8527E0 5 Bytes JMP A91D1FFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMultiByteToWideChar + 84B4 BF857D74 5 Bytes JMP A91D3118 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 23AD BF873983 5 Bytes JMP A91D2EFA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 37BB BF87882D 5 Bytes JMP A91D2D7E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 413A BF890AD9 5 Bytes JMP A91D24A4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 4B52 BF8B3770 5 Bytes JMP A91D2326 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 4BDD BF8B37FB 5 Bytes JMP A91D24CC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngAlphaBlend + 9286 BF8C31E7 5 Bytes JMP A91D21E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bCloseFigure + 19CE BF8ED991 5 Bytes JMP A91D1F32 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bCloseFigure + D4C6 BF8F9489 5 Bytes JMP A91D2254 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bCloseFigure + D746 BF8F9709 5 Bytes JMP A91D228E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1994 BF912612 5 Bytes JMP A91D2096 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2568 BF9131E6 3 Bytes JMP A91D21AE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 256C BF9131EA 1 Byte [E9]
.text win32k.sys!EngCreateClip + 4F29 BF915BA7 5 Bytes JMP A91D25E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 1931 BF9438F8 5 Bytes JMP A91D3070 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\AVAST Software\Avast\avastUI.exe[200] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[200] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[208] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\ctfmon.exe[208] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[208] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\ctfmon.exe[208] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[208] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00381014
.text C:\WINDOWS\system32\ctfmon.exe[208] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\ctfmon.exe[208] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\ctfmon.exe[208] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00380C0C
.text C:\WINDOWS\system32\ctfmon.exe[208] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00380E10
.text C:\WINDOWS\system32\ctfmon.exe[208] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\ctfmon.exe[208] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\ctfmon.exe[208] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\ctfmon.exe[208] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\ctfmon.exe[208] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\ctfmon.exe[208] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\ctfmon.exe[208] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\ctfmon.exe[208] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 003903FC
.text C:\WINDOWS\system32\ctfmon.exe[208] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82]
.text C:\WINDOWS\System32\smss.exe[456] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[504] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[504] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[528] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[528] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[528] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[528] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[528] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\winlogon.exe[528] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\winlogon.exe[528] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\winlogon.exe[528] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\winlogon.exe[528] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\winlogon.exe[528] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\winlogon.exe[528] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\winlogon.exe[528] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\winlogon.exe[528] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\winlogon.exe[528] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\winlogon.exe[528] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\winlogon.exe[528] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\winlogon.exe[528] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\services.exe[572] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[572] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[572] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\services.exe[572] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\services.exe[572] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\services.exe[572] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\services.exe[572] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\services.exe[572] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\lsass.exe[584] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\lsass.exe[584] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\lsass.exe[584] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\lsass.exe[584] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\lsass.exe[584] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[748] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[748] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[748] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[748] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[748] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[816] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[816] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[816] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[816] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[816] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\System32\svchost.exe[848] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[848] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[848] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[848] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[848] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00301014
.text C:\WINDOWS\System32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00300804
.text C:\WINDOWS\System32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300A08
.text C:\WINDOWS\System32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00300C0C
.text C:\WINDOWS\System32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300E10
.text C:\WINDOWS\System32\svchost.exe[848] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003001F8
.text C:\WINDOWS\System32\svchost.exe[848] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003003FC
.text C:\WINDOWS\System32\svchost.exe[848] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00300600
.text C:\WINDOWS\System32\svchost.exe[848] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804
.text C:\WINDOWS\System32\svchost.exe[848] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\System32\svchost.exe[848] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600
.text C:\WINDOWS\System32\svchost.exe[848] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\System32\svchost.exe[848] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00301014
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00300804
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300A08
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00300C0C
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300E10
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003001F8
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003003FC
.text C:\WINDOWS\System32\svchost.exe[932] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00300600
.text C:\WINDOWS\System32\svchost.exe[932] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804
.text C:\WINDOWS\System32\svchost.exe[932] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\System32\svchost.exe[932] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600
.text C:\WINDOWS\System32\svchost.exe[932] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\System32\svchost.exe[932] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00311014
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00310C0C
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00310E10
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00320804
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00320A08
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00320600
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003201F8
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003203FC
.text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[980] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[980] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00301014
.text C:\WINDOWS\System32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00300804
.text C:\WINDOWS\System32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300A08
.text C:\WINDOWS\System32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00300C0C
.text C:\WINDOWS\System32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300E10
.text C:\WINDOWS\System32\svchost.exe[980] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003001F8
.text C:\WINDOWS\System32\svchost.exe[980] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003003FC
.text C:\WINDOWS\System32\svchost.exe[980] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00300600
.text C:\WINDOWS\System32\svchost.exe[980] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804
.text C:\WINDOWS\System32\svchost.exe[980] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\System32\svchost.exe[980] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600
.text C:\WINDOWS\System32\svchost.exe[980] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\System32\svchost.exe[980] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1120] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1120] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1120] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1556] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\spoolsv.exe[1556] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1556] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\spoolsv.exe[1556] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1556] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\spoolsv.exe[1556] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\spoolsv.exe[1556] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\spoolsv.exe[1556] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\spoolsv.exe[1556] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\spoolsv.exe[1556] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\spoolsv.exe[1556] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\spoolsv.exe[1556] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\spoolsv.exe[1556] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\spoolsv.exe[1556] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\spoolsv.exe[1556] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\spoolsv.exe[1556] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\spoolsv.exe[1556] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\Explorer.EXE[1844] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\Explorer.EXE[1844] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1844] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\Explorer.EXE[1844] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1844] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00381014
.text C:\WINDOWS\Explorer.EXE[1844] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00380804
.text C:\WINDOWS\Explorer.EXE[1844] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00380A08
.text C:\WINDOWS\Explorer.EXE[1844] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00380C0C
.text C:\WINDOWS\Explorer.EXE[1844] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00380E10
.text C:\WINDOWS\Explorer.EXE[1844] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003801F8
.text C:\WINDOWS\Explorer.EXE[1844] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003803FC
.text C:\WINDOWS\Explorer.EXE[1844] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00380600
.text C:\WINDOWS\Explorer.EXE[1844] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00390804
.text C:\WINDOWS\Explorer.EXE[1844] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390A08
.text C:\WINDOWS\Explorer.EXE[1844] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00390600
.text C:\WINDOWS\Explorer.EXE[1844] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003901F8
.text C:\WINDOWS\Explorer.EXE[1844] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 003903FC
.text C:\WINDOWS\Explorer.EXE[1844] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82]
.text C:\WINDOWS\system32\igfxtray.exe[1968] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\igfxtray.exe[1968] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\igfxtray.exe[1968] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\igfxtray.exe[1968] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\igfxtray.exe[1968] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F0804
.text C:\WINDOWS\system32\igfxtray.exe[1968] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0A08
.text C:\WINDOWS\system32\igfxtray.exe[1968] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F0600
.text C:\WINDOWS\system32\igfxtray.exe[1968] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F01F8
.text C:\WINDOWS\system32\igfxtray.exe[1968] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F03FC
.text C:\WINDOWS\system32\igfxtray.exe[1968] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00431014
.text C:\WINDOWS\system32\igfxtray.exe[1968] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00430804
.text C:\WINDOWS\system32\igfxtray.exe[1968] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00430A08
.text C:\WINDOWS\system32\igfxtray.exe[1968] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00430C0C
.text C:\WINDOWS\system32\igfxtray.exe[1968] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00430E10
.text C:\WINDOWS\system32\igfxtray.exe[1968] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 004301F8
.text C:\WINDOWS\system32\igfxtray.exe[1968] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 004303FC
.text C:\WINDOWS\system32\igfxtray.exe[1968] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00430600
.text C:\WINDOWS\system32\hkcmd.exe[1976] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\hkcmd.exe[1976] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[1976] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\hkcmd.exe[1976] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[1976] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F0804
.text C:\WINDOWS\system32\hkcmd.exe[1976] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003F0A08
.text C:\WINDOWS\system32\hkcmd.exe[1976] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003F0600
.text C:\WINDOWS\system32\hkcmd.exe[1976] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003F01F8
.text C:\WINDOWS\system32\hkcmd.exe[1976] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003F03FC
.text C:\WINDOWS\system32\hkcmd.exe[1976] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00431014
.text C:\WINDOWS\system32\hkcmd.exe[1976] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00430804
.text C:\WINDOWS\system32\hkcmd.exe[1976] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00430A08
.text C:\WINDOWS\system32\hkcmd.exe[1976] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00430C0C
.text C:\WINDOWS\system32\hkcmd.exe[1976] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00430E10
.text C:\WINDOWS\system32\hkcmd.exe[1976] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 004301F8
.text C:\WINDOWS\system32\hkcmd.exe[1976] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 004303FC
.text C:\WINDOWS\system32\hkcmd.exe[1976] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00430600
.text C:\WINDOWS\system32\igfxpers.exe[1984] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\igfxpers.exe[1984] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[1984] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\igfxpers.exe[1984] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[1984] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003E0804
.text C:\WINDOWS\system32\igfxpers.exe[1984] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003E0A08
.text C:\WINDOWS\system32\igfxpers.exe[1984] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003E0600
.text C:\WINDOWS\system32\igfxpers.exe[1984] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003E01F8
.text C:\WINDOWS\system32\igfxpers.exe[1984] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003E03FC
.text C:\WINDOWS\system32\igfxpers.exe[1984] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003F1014
.text C:\WINDOWS\system32\igfxpers.exe[1984] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003F0804
.text C:\WINDOWS\system32\igfxpers.exe[1984] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003F0A08
.text C:\WINDOWS\system32\igfxpers.exe[1984] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003F0C0C
.text C:\WINDOWS\system32\igfxpers.exe[1984] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003F0E10
.text C:\WINDOWS\system32\igfxpers.exe[1984] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003F01F8
.text C:\WINDOWS\system32\igfxpers.exe[1984] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003F03FC
.text C:\WINDOWS\system32\igfxpers.exe[1984] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003F0600
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003E0804
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 003E0A08
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 003E0600
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003E01F8
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003E03FC
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003F1014
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003F0804
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003F0A08
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003F0C0C
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003F0E10
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003F01F8
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003F03FC
.text C:\WINDOWS\system32\igfxsrvc.exe[2008] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003F0600
.text C:\WINDOWS\system32\wuauclt.exe[2788] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\wuauclt.exe[2788] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[2788] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\wuauclt.exe[2788] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[2788] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\wuauclt.exe[2788] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\wuauclt.exe[2788] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\wuauclt.exe[2788] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\wuauclt.exe[2788] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 003903FC
.text C:\WINDOWS\system32\wuauclt.exe[2788] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82]
.text C:\WINDOWS\system32\wuauclt.exe[2788] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 003A1014
.text C:\WINDOWS\system32\wuauclt.exe[2788] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 003A0804
.text C:\WINDOWS\system32\wuauclt.exe[2788] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 003A0A08
.text C:\WINDOWS\system32\wuauclt.exe[2788] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 003A0C0C
.text C:\WINDOWS\system32\wuauclt.exe[2788] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 003A0E10
.text C:\WINDOWS\system32\wuauclt.exe[2788] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003A01F8
.text C:\WINDOWS\system32\wuauclt.exe[2788] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\wuauclt.exe[2788] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 003A0600
.text E:\n\gmer\gmer.exe[2820] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 001501F8
.text E:\n\gmer\gmer.exe[2820] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text E:\n\gmer\gmer.exe[2820] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 001503FC
.text E:\n\gmer\gmer.exe[2820] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text E:\n\gmer\gmer.exe[2820] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 009C1014
.text E:\n\gmer\gmer.exe[2820] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 009C0804
.text E:\n\gmer\gmer.exe[2820] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 009C0A08
.text E:\n\gmer\gmer.exe[2820] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 009C0C0C
.text E:\n\gmer\gmer.exe[2820] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 009C0E10
.text E:\n\gmer\gmer.exe[2820] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 009C01F8
.text E:\n\gmer\gmer.exe[2820] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 009C03FC
.text E:\n\gmer\gmer.exe[2820] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 009C0600
.text E:\n\gmer\gmer.exe[2820] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 009D0804
.text E:\n\gmer\gmer.exe[2820] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 009D0A08
.text E:\n\gmer\gmer.exe[2820] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 009D0600
.text E:\n\gmer\gmer.exe[2820] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 009D01F8
.text E:\n\gmer\gmer.exe[2820] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 009D03FC
.text C:\WINDOWS\system32\wscntfy.exe[2828] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\wscntfy.exe[2828] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[2828] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\wscntfy.exe[2828] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[2828] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00320804
.text C:\WINDOWS\system32\wscntfy.exe[2828] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00320A08
.text C:\WINDOWS\system32\wscntfy.exe[2828] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00320600
.text C:\WINDOWS\system32\wscntfy.exe[2828] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003201F8
.text C:\WINDOWS\system32\wscntfy.exe[2828] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 003203FC
.text C:\WINDOWS\system32\wscntfy.exe[2828] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00331014
.text C:\WINDOWS\system32\wscntfy.exe[2828] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00330804
.text C:\WINDOWS\system32\wscntfy.exe[2828] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00330A08
.text C:\WINDOWS\system32\wscntfy.exe[2828] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 3 Bytes JMP 00330C0C
.text C:\WINDOWS\system32\wscntfy.exe[2828] ADVAPI32.dll!ChangeServiceConfig2A + 4 77E270DD 1 Byte [88]
.text C:\WINDOWS\system32\wscntfy.exe[2828] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00330E10
.text C:\WINDOWS\system32\wscntfy.exe[2828] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 003301F8
.text C:\WINDOWS\system32\wscntfy.exe[2828] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 003303FC
.text C:\WINDOWS\system32\wscntfy.exe[2828] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00330600

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[572] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00630002
IAT C:\WINDOWS\system32\services.exe[572] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00630000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

#14 Příspěvek od **vyosek** » 24 lis 2011 23:05

Zapojte do PC vsechny USB klice (flashky, ext. disky apod.)

Stahne a ulozte na plochu UsbFix http://www.viry.cz/forum/viewtopic.php?f=24&t=102308
Spustte a kliknete na Deletion
Po dokonceni sem vlozte log, pokud na Vas nevyskoci, najdete jej zde C:\UsbFix.txt

VIRY.CZ

Zavirovaný PC, žádám o radu.

Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.

Re: Zavirovaný PC, žádám o radu.