C:\WINDOWS\system32\drivers\tcpip.sys Win32/Patched.BG virus

[Lisak]

Zdravím,
jsem zde nováčkem...
Tento virus mi najednou vyskočil doma i v práci a nevím co s ním...
C:\WINDOWS\system32\drivers\tcpip.sys Win32/Patched.BG virus
antivir mám NOD 4
smazat ho nemůžu neboť mi pak nefunguje net (to je asi logické, když to je tcpip...)
Pomůže někdo?

[Rudy]

Otestujte soubor online na www.virustotal.com .

[Lisak]

Nějak se nechce načíst...

0 bytes size received / Se ha recibido un archivo vacio

[Rudy]

OK. Dejte log z ComboFix.

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim s rezidentem antispyware

[Lisak]

snad se v tom vyznáte....:

ComboFix 09-08-04.03 - Administrator 05.08.2009 21:13.1.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.305 [GMT 2:00]
Spuštěný z: c:\docs\Administrator\Plocha\ComboFix.exe
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-07-05 do 2009-08-05 )))))))))))))))))))))))))))))))
.

V tomto časovém úseku nebyly vytvořeny žádné nové soubory.

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 16:22 . 2009-08-05 16:22 0 ----a-w- c:\windows\nsreg.dat
2009-08-05 15:47 . 2009-08-05 15:21 158010 ----a-w- c:\windows\hpoins14.dat
2009-08-05 15:43 . 2009-08-05 15:38 -------- d-----w- c:\progs\HP
2009-08-05 15:41 . 2009-08-05 15:41 -------- d-----w- c:\progs\Common Files\HP
2009-08-05 15:40 . 2009-08-05 15:40 -------- d-----w- c:\progs\Hewlett-Packard
2009-08-05 15:40 . 2009-08-05 15:40 -------- d-----w- c:\progs\Common Files\Hewlett-Packard
2009-08-05 15:33 . 2009-08-05 15:29 -------- d-----w- c:\progs\ICQ6.5
2009-08-05 15:30 . 2009-08-05 15:00 -------- d-----w- c:\progs\ICQ6
2009-08-05 15:20 . 2009-08-05 14:30 -------- d--h--w- c:\progs\InstallShield Installation Information
2009-08-05 15:20 . 2009-08-05 15:18 -------- d-----w- c:\progs\AVerMedia
2009-08-05 15:19 . 2009-08-05 15:18 -------- d-----w- c:\progs\Common Files\AVerMedia
2009-08-05 15:12 . 2009-08-05 14:57 -------- d-----w- c:\progs\totalcmd
2009-08-05 15:07 . 2009-08-05 15:07 -------- d-----w- c:\progs\D-Tools
2009-08-05 15:07 . 2009-08-05 15:07 -------- d-----w- c:\progs\Common Files\Adobe AIR
2009-08-05 15:06 . 2009-08-05 15:06 -------- d-----w- c:\progs\Common Files\Adobe
2009-08-05 15:05 . 2009-08-05 15:05 -------- d-----w- c:\progs\AMP WinOFF
2009-08-05 15:05 . 2009-08-05 15:04 -------- d-----w- c:\progs\Winamp
2009-08-05 15:04 . 2009-08-05 15:04 -------- d-----w- c:\progs\Skype
2009-08-05 15:04 . 2009-08-05 15:04 -------- d-----w- c:\progs\Common Files\Skype
2009-08-05 15:03 . 2009-08-05 15:03 -------- d-----w- c:\progs\Ahead
2009-08-05 15:03 . 2009-08-05 15:03 -------- d-----w- c:\progs\Common Files\Ahead
2009-08-05 14:59 . 2009-08-05 14:59 -------- d-----w- c:\progs\Lavasoft
2009-08-05 14:58 . 2009-08-05 14:58 -------- d-----w- c:\progs\Common Files\ACD Systems
2009-08-05 14:58 . 2009-08-05 14:58 -------- d-----w- c:\progs\ACD Systems
2009-08-05 14:58 . 2009-08-05 14:58 -------- d-----w- c:\progs\Micro DVD Player
2009-08-05 14:57 . 2009-08-05 14:57 -------- d-----w- c:\progs\Codec Pack - All In 1
2009-08-05 14:57 . 2009-08-05 14:57 737280 ----a-w- c:\windows\iun6002.exe
2009-08-05 14:57 . 2009-08-05 14:57 -------- d-----w- c:\progs\BSPlayer
2009-08-05 14:55 . 2009-08-05 14:55 -------- d-----w- c:\progs\ESET
2009-08-05 14:49 . 2009-08-05 14:34 -------- d-----w- c:\progs\ATI Technologies
2009-08-05 14:48 . 2001-10-25 13:00 67094 ----a-w- c:\windows\system32\perfc005.dat
2009-08-05 14:48 . 2001-10-25 13:00 386954 ----a-w- c:\windows\system32\perfh005.dat
2009-08-05 14:45 . 2009-08-05 14:33 -------- d-----w- c:\progs\ATI
2009-08-05 14:34 . 2009-08-05 14:30 -------- d-----w- c:\progs\Common Files\InstallShield
2009-08-05 14:30 . 2009-08-05 14:30 -------- d-----w- c:\progs\Realtek Sound Manager
2009-08-05 14:30 . 2009-08-05 14:30 -------- d-----w- c:\progs\AvRack
2009-08-05 14:30 . 2009-08-05 14:30 -------- d-----w- c:\progs\Realtek AC97
2009-08-05 14:30 . 2009-08-05 14:26 -------- d-----w- c:\progs\ovladac_zakl_deska
2009-08-05 14:29 . 2009-08-05 14:29 -------- d-----w- c:\progs\VIALAN
2009-08-05 14:21 . 2009-08-05 14:21 8738 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-08-05 14:21 . 2009-08-05 14:21 2112 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-08-05 14:21 . 2009-08-05 14:21 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-05 14:19 . 2009-08-05 14:19 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-14 13:49 . 2009-05-14 13:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 13:47 . 2009-05-14 13:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 13:41 . 2009-05-14 13:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
.

------- Sigcheck -------

[-] 2006-02-23 08:34 359040 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\system32\drivers\tcpip.sys


.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\progs\Skype\Phone\Skype.exe" [2006-12-11 25343016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\progs\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"egui"="c:\progs\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"Ad-Watch"="c:\progs\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinampAgent"="c:\progs\Winamp\winampa.exe" [2006-06-21 35328]
"Adobe Reader Speed Launcher"="c:\progs\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DAEMON Tools-1033"="c:\progs\D-Tools\daemon.exe" [2004-08-22 81920]
"HP Software Update"="c:\progs\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-06-21 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-17 44544]

c:\docs\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
AVer HID Receiver.lnk - c:\progs\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe [2009-8-5 159744]
AVerQuick.lnk - c:\progs\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2009-8-5 663552]
HP Digital Imaging Monitor.lnk - c:\progs\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\progs\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoInternetIcon"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\progs\\ICQ6.5\\ICQ.exe"=
"c:\\progs\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5.8.2009 17:00 64160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 15:49 94360]
R2 AVerRemote;AVerRemote;c:\progs\Common Files\AVerMedia\Service\AVerRemote.exe [5.8.2009 17:18 352256]
R2 AVerScheduleService;AVerScheduleService;c:\progs\Common Files\AVerMedia\Service\AVerScheduleService.exe [5.8.2009 17:18 409600]
R2 ekrn;ESET Service;c:\progs\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R3 AVerFx2hbtv;AVerMedia USB SW Hybrid Tuner;c:\windows\system32\drivers\AVerFx2hbtv.sys [5.8.2009 17:20 273152]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\progs\Lavasoft\Ad-Aware\AAWService.exe [9.3.2009 21:06 951632]

--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - AVERREMOTE
*NewlyCreated* - AVERSCHEDULESERVICE
*NewlyCreated* - HPQCXS08
*NewlyCreated* - HPQDDSVC
*NewlyCreated* - NET_DRIVER_HPZ12
*NewlyCreated* - PML_DRIVER_HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Obsah adresáře 'Naplánované úlohy'

2009-08-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\progs\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKCU-Run-ICQ - c:\progs\ICQ6\ICQ.exe


.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Excel - c:\progs\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\docs\Administrator\Data aplikací\Mozilla\Firefox\Profiles\jlrgdt94.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.centrum.cz/

---- NASTAVENÍ FIREFOXU ----
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\progs\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\progs\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\progs\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\progs\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-05 21:16
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2009-08-05 21:17
ComboFix-quarantined-files.txt 2009-08-05 19:17

Před spuštěním: Volných bajtů: 16 608 870 400
Po spuštění: Volných bajtů: 16 728 395 776

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

[Rudy]

Kromě jedné položka, která byla smazána, vypadá log čistý. Otevřte poznámkový blok a zkopírujte do něj:

FCopy::
c:\windows\ServicePackFiles\i386\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkaz ze skriptu.

[Lisak]

Udělal jsem, nicméně při skenu opět vylítávali okna s upozorněním na vir (pořád ten samý)
log z nového skenu....

ComboFix 09-08-04.04 - Administrator 06.08.2009 8:52.2.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.700 [GMT 2:00]
Spuštěný z: c:\docs\Administrator\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\docs\Administrator\Plocha\CFScript.txt
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((( Soubory vytvořené od 2009-07-06 do 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-05 10:21 . 2009-08-05 10:21 -------- d-----w- c:\progs\Common Files\Hewlett-Packard
2009-08-05 10:17 . 2004-08-03 19:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-05 10:17 . 2009-08-05 10:17 -------- d-----w- c:\progs\HP
2009-08-05 10:16 . 2009-08-05 10:22 103535 ----a-w- c:\windows\hpoins04.dat
2009-08-05 10:16 . 2004-06-22 06:04 17176 ------w- c:\windows\hpomdl04.dat
2009-08-05 10:16 . 2009-08-05 10:16 -------- d-----w- c:\temp\HP_WebRelease
2009-08-05 10:16 . 2009-08-05 10:16 -------- d-----w- C:\temp
2009-08-05 10:08 . 2004-08-03 20:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-08-05 10:07 . 2004-08-03 20:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 08:57 . 2009-08-05 08:55 -------- d-----w- c:\progs\ICQ6.5
2009-08-05 08:56 . 2009-08-05 08:13 -------- d-----w- c:\progs\ICQ6
2009-08-05 08:27 . 2009-08-05 08:27 0 ----a-w- c:\windows\nsreg.dat
2009-08-05 08:20 . 2009-08-05 08:20 -------- d-----w- c:\progs\D-Tools
2009-08-05 08:18 . 2009-08-05 08:16 -------- d-----w- c:\progs\Winamp
2009-08-05 08:16 . 2009-08-05 08:15 -------- d-----w- c:\progs\Skype
2009-08-05 08:16 . 2009-08-05 08:16 -------- d-----w- c:\progs\Common Files\Skype
2009-08-05 08:15 . 2009-08-05 08:14 -------- d-----w- c:\progs\Ahead
2009-08-05 08:14 . 2009-08-05 08:14 -------- d-----w- c:\progs\Common Files\Ahead
2009-08-05 08:13 . 2009-08-05 07:35 -------- d--h--w- c:\progs\InstallShield Installation Information
2009-08-05 08:12 . 2009-08-05 08:11 -------- d-----w- c:\progs\Common Files\ACD Systems
2009-08-05 08:11 . 2009-08-05 08:11 -------- d-----w- c:\progs\ACD Systems
2009-08-05 08:11 . 2009-08-05 08:11 -------- d-----w- c:\progs\Micro DVD Player
2009-08-05 08:10 . 2009-08-05 08:10 -------- d-----w- c:\progs\Codec Pack - All In 1
2009-08-05 08:10 . 2009-08-05 08:10 737280 ----a-w- c:\windows\iun6002.exe
2009-08-05 08:10 . 2009-08-05 08:10 -------- d-----w- c:\progs\BSPlayer
2009-08-05 08:10 . 2009-08-05 08:10 -------- d-----w- c:\progs\totalcmd
2009-08-05 08:09 . 2009-08-05 08:25 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-05 08:09 . 2009-08-05 08:09 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-05 08:08 . 2009-08-05 08:08 -------- d-----w- c:\progs\Lavasoft
2009-08-05 08:07 . 2009-08-05 08:07 -------- d-----w- c:\progs\Common Files\Adobe AIR
2009-08-05 08:07 . 2009-08-05 08:07 -------- d-----w- c:\progs\Common Files\Adobe
2009-08-05 07:46 . 2009-08-05 07:46 -------- d-----w- c:\progs\ESET
2009-08-05 07:36 . 2001-10-25 13:00 44554 ----a-w- c:\windows\system32\perfc005.dat
2009-08-05 07:36 . 2001-10-25 13:00 307280 ----a-w- c:\windows\system32\perfh005.dat
2009-08-05 07:36 . 2009-08-05 07:35 -------- d-----w- c:\progs\Realtek
2009-08-05 07:35 . 2009-08-05 07:35 -------- d-----w- c:\progs\Common Files\InstallShield
2009-08-05 07:33 . 2009-08-05 07:33 -------- d-----w- c:\progs\Intel
2009-08-05 07:31 . 2009-08-05 07:31 8738 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-08-05 07:31 . 2009-08-05 07:30 2112 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-08-05 07:31 . 2009-08-05 07:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-05 07:27 . 2009-08-05 07:27 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-14 13:49 . 2009-05-14 13:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 13:47 . 2009-05-14 13:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 13:41 . 2009-05-14 13:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
.

------- Sigcheck -------

[-] 2006-02-23 08:34 359040 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\system32\drivers\tcpip.sys


.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\progs\Skype\Phone\Skype.exe" [2006-12-11 25343016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"egui"="c:\progs\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"Adobe Reader Speed Launcher"="c:\progs\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\progs\Lavasoft\Ad-Aware\AAWTray.exe" [2009-08-05 520024]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinampAgent"="c:\progs\Winamp\winampa.exe" [2006-06-21 35328]
"DAEMON Tools-1033"="c:\progs\D-Tools\daemon.exe" [2004-08-22 81920]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-01 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-17 44544]

c:\docs\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - c:\progs\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoInternetIcon"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\progs\\Skype\\Phone\\Skype.exe"=
"c:\\progs\\ICQ6.5\\ICQ.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5.8.2009 10:09 64160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 15:49 94360]
R2 ekrn;ESET Service;c:\progs\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\progs\Lavasoft\Ad-Aware\AAWService.exe [9.3.2009 21:06 1029456]
.
Obsah adresáře 'Naplánované úlohy'

2009-08-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\progs\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 08:09]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Excel - c:\progs\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\docs\Administrator\Data aplikací\Mozilla\Firefox\Profiles\vvifo4nd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.centrum.cz/

---- NASTAVENÍ FIREFOXU ----
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\progs\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\progs\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\progs\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\progs\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 08:54
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(2940)
c:\windows\system32\msi.dll
.
Celkový čas: 2009-08-06 8:55
ComboFix-quarantined-files.txt 2009-08-06 06:55
ComboFix2.txt 2009-08-06 06:50

Před spuštěním: Volných bajtů: 47 876 083 712
Po spuštění: Volných bajtů: 47 867 953 152

188 --- E O F --- 2009-08-05 08:01

[Rudy]

CF pouze překopíroval soubor tcpip.sys ze zálohy do příslušného adresáře. Pokud je v něm vir nyní, pak je nakažena i záloha.

[Lisak]

Nevím jak na něj..
jweště trochu info o něm:
pokud zformátuju hadr, instalnu windowsy (kabel mám odpojený), instalnu programy, pak zapojím kabel a do 30 min mi vyskočí varovné okno s touhle infiltrací. Nevím jak se tam tak rychle může dostat, navíc serfuju po bezpečných stránkách...

[Rudy]

Šlo by to udělat tak, že by jste si zkopíroval ten soubor na nějakém nenakaženém PC, pak nakopírobal na vašem PC do libovolného adresáře a pak přes CF zkopíroval do drivers.

[Lisak]

Překopíroval jsem ten soubor.
varovné okno s virem se již nevyhazuje.
Prosím o kontrolu z combofixu...
nový výpis z combofixu je tady:

ComboFix 09-08-04.04 - Administrator 10.08.2009 10:43.3.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.654 [GMT 2:00]
Spuštěný z: c:\docs\Administrator\Plocha\ComboFix.exe
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((( Soubory vytvořené od 2009-07-10 do 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 06:42 . 2009-08-10 06:42 -------- d-----w- c:\windows\system32\xircom
2009-08-10 06:42 . 2009-08-10 06:42 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-10 06:42 . 2009-08-10 06:42 -------- d-----w- c:\windows\system32\oobe
2009-08-10 06:42 . 2009-08-10 06:42 -------- d-----w- c:\windows\srchasst
2009-08-10 06:42 . 2009-08-10 06:42 -------- d-----w- c:\progs\microsoft frontpage
2009-08-05 10:21 . 2009-08-05 10:21 -------- d-----w- c:\progs\Common Files\Hewlett-Packard
2009-08-05 10:17 . 2004-08-03 19:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-05 10:17 . 2009-08-05 10:17 -------- d-----w- c:\progs\HP
2009-08-05 10:16 . 2009-08-05 10:22 103535 ----a-w- c:\windows\hpoins04.dat
2009-08-05 10:16 . 2004-06-22 06:04 17176 ------w- c:\windows\hpomdl04.dat
2009-08-05 10:16 . 2009-08-05 10:16 -------- d-----w- c:\temp\HP_WebRelease
2009-08-05 10:16 . 2009-08-05 10:16 -------- d-----w- C:\temp
2009-08-05 10:08 . 2004-08-03 20:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-08-05 10:07 . 2004-08-03 20:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 08:26 . 2009-08-05 08:10 -------- d-----w- c:\progs\totalcmd
2009-08-10 07:51 . 2009-08-05 07:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-10 07:51 . 2009-08-05 07:30 2426 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-08-10 07:51 . 2009-08-05 07:31 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-08-05 08:57 . 2009-08-05 08:55 -------- d-----w- c:\progs\ICQ6.5
2009-08-05 08:56 . 2009-08-05 08:13 -------- d-----w- c:\progs\ICQ6
2009-08-05 08:27 . 2009-08-05 08:27 0 ----a-w- c:\windows\nsreg.dat
2009-08-05 08:20 . 2009-08-05 08:20 -------- d-----w- c:\progs\D-Tools
2009-08-05 08:18 . 2009-08-05 08:16 -------- d-----w- c:\progs\Winamp
2009-08-05 08:16 . 2009-08-05 08:15 -------- d-----w- c:\progs\Skype
2009-08-05 08:16 . 2009-08-05 08:16 -------- d-----w- c:\progs\Common Files\Skype
2009-08-05 08:15 . 2009-08-05 08:14 -------- d-----w- c:\progs\Ahead
2009-08-05 08:14 . 2009-08-05 08:14 -------- d-----w- c:\progs\Common Files\Ahead
2009-08-05 08:13 . 2009-08-05 07:35 -------- d--h--w- c:\progs\InstallShield Installation Information
2009-08-05 08:12 . 2009-08-05 08:11 -------- d-----w- c:\progs\Common Files\ACD Systems
2009-08-05 08:11 . 2009-08-05 08:11 -------- d-----w- c:\progs\ACD Systems
2009-08-05 08:11 . 2009-08-05 08:11 -------- d-----w- c:\progs\Micro DVD Player
2009-08-05 08:10 . 2009-08-05 08:10 -------- d-----w- c:\progs\Codec Pack - All In 1
2009-08-05 08:10 . 2009-08-05 08:10 737280 ----a-w- c:\windows\iun6002.exe
2009-08-05 08:10 . 2009-08-05 08:10 -------- d-----w- c:\progs\BSPlayer
2009-08-05 08:09 . 2009-08-05 08:25 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-05 08:09 . 2009-08-05 08:09 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-05 08:08 . 2009-08-05 08:08 -------- d-----w- c:\progs\Lavasoft
2009-08-05 08:07 . 2009-08-05 08:07 -------- d-----w- c:\progs\Common Files\Adobe AIR
2009-08-05 08:07 . 2009-08-05 08:07 -------- d-----w- c:\progs\Common Files\Adobe
2009-08-05 07:46 . 2009-08-05 07:46 -------- d-----w- c:\progs\ESET
2009-08-05 07:36 . 2001-10-25 13:00 44554 ----a-w- c:\windows\system32\perfc005.dat
2009-08-05 07:36 . 2001-10-25 13:00 307280 ----a-w- c:\windows\system32\perfh005.dat
2009-08-05 07:36 . 2009-08-05 07:35 -------- d-----w- c:\progs\Realtek
2009-08-05 07:35 . 2009-08-05 07:35 -------- d-----w- c:\progs\Common Files\InstallShield
2009-08-05 07:33 . 2009-08-05 07:33 -------- d-----w- c:\progs\Intel
2009-08-05 07:27 . 2009-08-05 07:27 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-14 13:49 . 2009-05-14 13:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 13:47 . 2009-05-14 13:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 13:41 . 2009-05-14 13:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-06_06.50.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-02-23 08:34 . 2004-08-03 22:14 359040 c:\windows\system32\drivers\tcpip.sys
- 2006-02-23 08:34 . 2006-02-23 08:34 359040 c:\windows\system32\drivers\tcpip.sys
+ 2006-02-23 08:34 . 2004-08-03 22:14 359040 c:\windows\system32\dllcache\tcpip.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\progs\Skype\Phone\Skype.exe" [2006-12-11 25343016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"egui"="c:\progs\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"Adobe Reader Speed Launcher"="c:\progs\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\progs\Lavasoft\Ad-Aware\AAWTray.exe" [2009-08-05 520024]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinampAgent"="c:\progs\Winamp\winampa.exe" [2006-06-21 35328]
"DAEMON Tools-1033"="c:\progs\D-Tools\daemon.exe" [2004-08-22 81920]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-01 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-17 44544]

c:\docs\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - c:\progs\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoInternetIcon"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\progs\\ICQ6.5\\ICQ.exe"=
"c:\\progs\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5.8.2009 10:09 64160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 15:49 94360]
R2 ekrn;ESET Service;c:\progs\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\progs\Lavasoft\Ad-Aware\AAWService.exe [9.3.2009 21:06 1029456]
.
Obsah adresáře 'Naplánované úlohy'

2009-08-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\progs\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 08:09]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Excel - c:\progs\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\docs\Administrator\Data aplikací\Mozilla\Firefox\Profiles\vvifo4nd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.centrum.cz/

---- NASTAVENÍ FIREFOXU ----
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\progs\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\progs\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\progs\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\progs\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\progs\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\progs\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 10:44
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3768)
c:\windows\system32\msi.dll
.
Celkový čas: 2009-08-10 10:45
ComboFix-quarantined-files.txt 2009-08-10 08:45
ComboFix2.txt 2009-08-06 06:55
ComboFix3.txt 2009-08-06 06:50

Před spuštěním: Volných bajtů: 47 807 299 584
Po spuštění: Volných bajtů: 47 769 853 952

196 --- E O F --- 2009-08-05 08:01

[Rudy]

Log již vypadá čistý.

[Ax1qwer]

Dobrý den, mam ten samý problem, jako uzivatel co zalozil toto tema
Dnes sem reinstaloval windows, ale hned co jsem pripojil pc k netu, abych si stahnul antivirovy program zacala vyskakovat tabulka ze soubor tcpip.sys je infikovan

Zde je log z combofixu:

Kód: Vybrat vše

ComboFix 11-07-20.02 - Mirek 20.07.2011  21:23:49.1.1 - x86
Systém Microsoft Windows XP Professional  5.1.2600.2.1250.420.1029.18.478.194 [GMT 2:00]
Spuštěný z: d:\sta×enú soubory\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.
.
(((((((((((((((((((((((((((((((((((((((   Ostatní výmazy   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Cache
.
.
(((((((((((((((((((((((((   Soubory vytvořené od 2011-06-20 do 2011-07-20  )))))))))))))))))))))))))))))))
.
.
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M výpis   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-08 07:29 . 2011-07-20 18:51	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\1d2803a1f84cfd41d61e509943d67213\sp3qfe\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\1d2803a1f84cfd41d61e509943d67213\sp3gdr\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SoftwareDistribution\Download\1d2803a1f84cfd41d61e509943d67213\sp2gdr\tcpip.sys
[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\SoftwareDistribution\Download\1d2803a1f84cfd41d61e509943d67213\sp2qfe\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\tcpip.sys
[-] 2007-12-27 . 1745B00FC1141404B28F4B94F69A8871 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2008-04-14 . 56A6034E7764E23D9114223EB3523925 . 1571840 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\sfcfiles.dll
[-] 2007-12-27 . 0C2F6B6366E23D7362EB2C2EC29262F6 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((   Spouštěcí body v registru   )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43	122512	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office 2007\Office12\GrooveMonitor.exe" [2007-06-30 33648]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2006-02-17 270336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"nwiz"="nwiz.exe" [2006-01-24 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-01-24 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
RocketDock.lnk - c:\program files\RocketDock\RocketDock.exe [N/A]
VisualTaskTips.lnk - c:\program files\VisualTaskTips\VisualTaskTips.exe [2007-9-5 36352]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [20.7.2011 19:59 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [20.7.2011 19:59 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [20.7.2011 19:59 19544]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 19:19 13592]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20.7.2011 20:55 136176]
S3 gupdatem;Služba Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20.7.2011 20:55 136176]
.
--- Ostatní služby/ovladače v paměti ---
.
*NewlyCreated* - ASWSNX
*NewlyCreated* - GUPDATE
.
Obsah adresáře 'Naplánované úlohy'
.
2011-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-20 18:54]
.
2011-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-20 18:54]
.
2011-07-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/support/chrome/bin/request.py?hl=en-US&contact_type=uninstall&crversion=12.0.742.100&os=5.1.2600
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
TCP: DhcpNameServer = 90.183.12.3 90.183.12.4
FF - ProfilePath - c:\documents and settings\Mirek\Data aplikací\Mozilla\Firefox\Profiles\c13pscph.default\
FF - prefs.js: browser.startup.homepage - www.seznam.cz
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-20 21:28
Windows 5.1.2600 Service Pack 2 NTFS
.
skenování skrytých procesů ...  
.
skenování skrytých položek 'Po spuštění' ... 
.
skenování skrytých souborů ...  
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\nvappfilter.dll
.
- - - - - - - > 'explorer.exe'(256)
c:\program files\VisualTaskTips\VttHooks.dll
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Celkový čas: 2011-07-20  21:30:09
ComboFix-quarantined-files.txt  2011-07-20 19:30
.
Před spuštěním: Volných bajtů: 29 424 001 024
Po spuštění: Volných bajtů: 29 433 425 920
.
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A8D3F37285D629A8E25C6CB7C36250B3

děkuji mnohokrát za rady.

[motji]

Ax1qwer
Dobrý večer ,
prosím založte si vlastní topic, takto by se nám tu pletly logy .
Děkujeme za pochopení

[Ax1qwer]

Dobrá, omlouvám se.