pro Motji, 4. PC

[nessay]

Logfile of random's system information tool 1.06 (written by random/random)
Run by Janka S at 2010-03-21 17:46:58
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 11 GB (26%) free of 40 GB
Total RAM: 2039 MB (81% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"29661"=C:\qjxcae.exe []
"reader_s"=C:\WINDOWS\System32\reader_s.exe []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"reader_s"=C:\Documents and Settings\Janka S\reader_s.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2009-01-21 205824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\VideoLAN\VLC\vlc.exe"="C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player"
"C:\DOCUME~1\JANKAS~1\LOCALS~1\Temp\839.exe"="C:\DOCUME~1\JANKAS~1\LOCALS~1\Temp\839.exe:*:C:\WINDOWS\ccdrive32.exe"
"C:\DOCUME~1\JANKAS~1\LOCALS~1\Temp\eraseme_34533.exe"="C:\DOCUME~1\JANKAS~1\LOCALS~1\Temp\eraseme_34533.exe:*:C:\WINDOWS\cidrive32.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66e3402c-de5d-11de-b768-0022431b1eda}]
shell\AutoRun\command - F:\RECYCLER\S-51-9-25-3434476501-1644491933-601013354-1214\BSuBT.exe
shell\open\command - F:\RECYCLER\S-51-9-25-3434476501-1644491933-601013354-1214\BSuBT.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a8731c2-04eb-11df-b7b3-0022431b1eda}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL riOuf.exE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db920927-bbe8-11de-b718-002215ff6b5c}]
shell\AutoRun\command - F:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2010-03-21 17:46:58 ----D---- C:\rsit
2010-03-21 17:46:58 ----D---- C:\Program Files\trend micro
2010-03-14 20:58:33 ----D---- C:\Program Files\Adobe
2010-03-14 12:14:57 ----D---- C:\Documents and Settings\All Users\Data aplikací\Adobe
2010-03-14 12:14:45 ----D---- C:\Program Files\Common Files\Adobe
2010-03-11 10:37:33 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-03-10 21:34:58 ----D---- C:\Documents and Settings\Janka S\Data aplikací\Opera
2010-03-10 21:34:29 ----D---- C:\Program Files\Opera
2010-03-10 18:16:04 ----D---- C:\Documents and Settings\Janka S\Data aplikací\Mozilla
2010-03-10 18:15:58 ----D---- C:\Program Files\Mozilla Firefox
2010-03-09 18:27:01 ----HDC---- C:\WINDOWS\$NtUninstallKB977165-v2$
2010-03-08 23:36:35 ----N---- C:\WINDOWS\system32\browserchoice.exe
2010-03-04 07:13:08 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2010-03-04 07:12:53 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2010-03-03 04:37:39 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-03-03 04:37:28 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-03-03 04:37:19 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-03-03 04:37:09 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2010-03-03 04:37:00 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-03-03 04:36:52 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2010-03-03 04:36:43 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-03-03 04:36:33 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2010-03-03 04:36:25 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-03-03 04:36:15 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2010-03-03 04:35:58 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2010-03-02 10:04:12 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-03-02 10:04:04 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2010-03-02 10:03:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2010-03-02 10:03:45 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2010-03-02 10:03:35 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2010-03-02 10:03:24 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2010-03-02 10:03:15 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-03-02 10:03:05 ----HDC---- C:\WINDOWS\$NtUninstallKB935448$
2010-03-02 10:02:39 ----HDC---- C:\WINDOWS\$NtUninstallKB978207$
2010-03-02 10:02:28 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-03-02 10:02:15 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-03-02 10:01:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2010-03-02 10:01:41 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2010-03-02 10:01:32 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2010-03-02 10:01:16 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-03-02 10:01:06 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2010-03-02 10:00:55 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-03-02 10:00:33 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2010-03-02 10:00:23 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2010-03-02 10:00:14 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-03-02 09:59:59 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2010-03-02 09:59:52 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2010-03-02 09:59:19 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2010-03-02 09:59:06 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2010-03-02 09:58:53 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2010-03-02 09:58:38 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-03-02 09:58:23 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2010-03-02 09:58:07 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2010-03-02 09:57:54 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-03-02 09:57:43 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-03-02 09:57:16 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2010-03-02 09:57:05 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2010-03-02 09:56:51 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2010-03-02 09:56:35 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2010-03-02 09:56:18 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-03-02 09:56:06 ----HDC---- C:\WINDOWS\$NtUninstallKB958470$
2010-03-02 09:55:50 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2010-03-02 09:55:37 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2010-03-02 09:55:01 ----HDC---- C:\WINDOWS\$NtUninstallKB971032$
2010-03-02 09:54:44 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2010-03-02 09:54:33 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2010-03-02 09:54:22 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2010-03-02 09:54:13 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2010-03-02 09:53:54 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2010-03-02 09:53:26 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-03-01 16:17:05 ----D---- C:\Program Files\ESET
2010-03-01 16:11:09 ----A---- C:\WINDOWS\system32\flags.ini
2010-02-28 21:39:54 ----D---- C:\WINDOWS\Prefetch
2010-02-28 21:33:35 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2010-02-28 21:27:08 ----A---- C:\WINDOWS\pnplog.txt
2010-02-28 21:20:56 ----A---- C:\WINDOWS\system32\spxcoins.dll
2010-02-28 21:20:56 ----A---- C:\WINDOWS\system32\irclass.dll
2010-02-28 21:20:26 ----RA---- C:\WINDOWS\SETC7.tmp
2010-02-28 21:20:21 ----RA---- C:\WINDOWS\SETBB.tmp
2010-02-28 21:20:19 ----RA---- C:\WINDOWS\SETB8.tmp

======List of files/folders modified in the last 1 months======

2010-03-21 17:46:58 ----RD---- C:\Program Files
2010-03-21 17:45:25 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-21 14:35:01 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-21 14:32:54 ----SD---- C:\Documents and Settings\Janka S\Data aplikací\Microsoft
2010-03-21 14:28:45 ----SHD---- C:\WINDOWS\Installer
2010-03-20 18:09:14 ----D---- C:\Documents and Settings\Janka S\Data aplikací\vlc
2010-03-14 20:57:55 ----D---- C:\WINDOWS\system32
2010-03-14 12:15:35 ----D---- C:\Documents and Settings\Janka S\Data aplikací\Adobe
2010-03-14 12:15:02 ----D---- C:\WINDOWS\WinSxS
2010-03-14 12:14:45 ----D---- C:\Program Files\Common Files
2010-03-11 16:35:45 ----HD---- C:\WINDOWS\inf
2010-03-11 16:33:41 ----D---- C:\WINDOWS
2010-03-11 10:37:38 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-11 10:37:37 ----D---- C:\Program Files\Movie Maker
2010-03-11 10:36:58 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-10 20:02:18 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-03-09 18:27:13 ----A---- C:\WINDOWS\imsins.BAK
2010-03-04 18:28:05 ----SHD---- C:\WINDOWS\system32\lowsec
2010-03-04 07:15:38 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-04 07:13:13 ----D---- C:\WINDOWS\system32\drivers
2010-03-03 20:04:08 ----D---- C:\WINDOWS\AppPatch
2010-03-03 04:36:37 ----D---- C:\Program Files\Outlook Express
2010-03-02 10:05:51 ----D---- C:\WINDOWS\system32\wbem
2010-03-02 10:05:50 ----D---- C:\WINDOWS\system32\Setup
2010-03-02 10:03:10 ----D---- C:\WINDOWS\system32\CatRoot
2010-03-02 10:02:53 ----D---- C:\Program Files\Internet Explorer
2010-03-02 10:02:02 ----D---- C:\WINDOWS\Temp
2010-03-01 08:56:50 ----D---- C:\WINDOWS\SoftwareDistribution
2010-03-01 08:56:47 ----D---- C:\WINDOWS\Help
2010-02-28 22:17:46 ----D---- C:\WINDOWS\system
2010-02-28 22:17:39 ----D---- C:\WINDOWS\system32\usmt
2010-02-28 22:17:30 ----D---- C:\WINDOWS\Media
2010-02-28 22:17:23 ----RSD---- C:\WINDOWS\Fonts
2010-02-28 22:17:15 ----D---- C:\WINDOWS\PeerNet
2010-02-28 22:17:14 ----D---- C:\WINDOWS\ime
2010-02-28 22:16:51 ----D---- C:\WINDOWS\system32\npp
2010-02-28 22:16:42 ----D---- C:\WINDOWS\msagent
2010-02-28 22:16:11 ----D---- C:\WINDOWS\ehome
2010-02-28 22:15:35 ----D---- C:\WINDOWS\twain_32
2010-02-28 22:15:19 ----D---- C:\WINDOWS\system32\icsxml
2010-02-28 22:14:51 ----D---- C:\WINDOWS\system32\ias
2010-02-28 22:14:44 ----D---- C:\WINDOWS\system32\1033
2010-02-28 22:14:44 ----D---- C:\WINDOWS\system32\1029
2010-02-28 22:13:52 ----D---- C:\WINDOWS\Driver Cache
2010-02-28 21:44:47 ----D---- C:\WINDOWS\security
2010-02-28 21:42:14 ----D---- C:\WINDOWS\Registration
2010-02-28 21:41:38 ----A---- C:\WINDOWS\setuplog.txt
2010-02-28 21:40:29 ----SHD---- C:\System Volume Information
2010-02-28 21:40:29 ----D---- C:\WINDOWS\system32\Restore
2010-02-28 21:34:41 ----A---- C:\WINDOWS\OEWABLog.txt
2010-02-28 21:34:34 ----A---- C:\WINDOWS\ODBCINST.INI
2010-02-28 21:33:39 ----RD---- C:\WINDOWS\Web
2010-02-28 21:33:28 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2010-02-28 21:33:13 ----A---- C:\WINDOWS\win.ini
2010-02-28 21:33:08 ----D---- C:\WINDOWS\system32\oobe
2010-02-28 21:32:07 ----D---- C:\WINDOWS\system32\Com
2010-02-28 21:30:10 ----SH---- C:\boot.ini
2010-02-28 21:21:02 ----A---- C:\WINDOWS\system.ini
2010-02-28 21:20:45 ----ASH---- C:\Documents and Settings\All Users\Data aplikací\desktop.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-11-16 96408]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-17 39936]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-11-16 116520]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2009-10-18 1528928]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2006-11-08 14080]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2009-01-21 6278560]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-10-22 5922816]
R3 MTsensor;ATK0100 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ATKACPI.sys [2002-02-08 6004]
R3 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2005-11-16 28928]
R3 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2006-09-08 51328]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-03 67584]
R3 smserial;smserial; C:\WINDOWS\system32\DRIVERS\smserial.sys [2009-10-22 983936]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S2 Ambfiltq;Ambfiltq; \??\C:\WINDOWS\System32\DRIVERS\Ambfiltq.sys []
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2009-10-22 1684736]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-10-25 9600]
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2009-10-22 1389056]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-11-08 12160]
S3 tcpsr;tcpsr; \??\C:\WINDOWS\System32\drivers\tcpsr.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-11-16 20680]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]

-----------------EOF-----------------

[motji]

Fuj, to jste měl rovnou napsat, že máteještě tento pc

Combofix stahněte takto:
- pravým myšítkem klikněte na odkaz combofixu --uložit jako.. ,a teď ho přejmenujte na Potvora.com a uložte.



Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe

-souhlaste s instalací konzole pro zotavení

- ComboFix je třeba spustit pod účtem s právy administrátora

- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary

- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano

- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna

- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah sem

[nessay]

ComboFix 10-03-19.08 - Janka S . 03. 2010 21:35:12.1.2 - x86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2039.1814 [GMT 1:00]
Spuštěný z: c:\documents and settings\Janka S\Plocha\potvora.com.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\ccdrive32.exe
c:\windows\system32\drivers\KGootkit.sys
c:\windows\system32\flags.ini
c:\windows\system32\ieuinit.inf
c:\windows\system32\imPlayok.exe
c:\windows\system32\kbdsock.dll
c:\windows\system32\mshlps.dll
c:\windows\system32\uses32.dat
c:\windows\system32\wssf.hgo

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AMBFILTQ
-------\Legacy_KGOOTKIT
-------\Legacy_TCPSR
-------\Service_Ambfiltq
-------\Service_KGootkit
-------\Service_tcpsr


((((((((((((((((((((((((( Soubory vytvořené od 2010-02-23 do 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-21 17:19 . 2010-03-21 17:19 231352 ----a-w- C:\UsbFix_Upload_Me_JANKA.zip
2010-03-21 16:48 . 2010-03-21 17:19 -------- d-----w- C:\UsbFix
2010-03-21 16:46 . 2010-03-21 16:47 -------- d-----w- C:\rsit
2010-03-21 16:46 . 2010-03-21 16:46 -------- d-----w- c:\program files\trend micro
2010-03-14 11:14 . 2010-03-14 19:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-13 16:22 . 2010-03-13 16:22 -------- d-----r- c:\documents and settings\LocalService\Oblíbené položky
2010-03-10 20:34 . 2010-03-10 20:34 -------- d-----w- c:\program files\Opera
2010-03-08 22:36 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-01 15:17 . 2010-03-01 15:17 -------- d-----w- c:\program files\ESET
2010-03-01 15:09 . 2008-06-14 18:00 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-01 15:08 . 2009-12-04 13:37 456832 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-01 15:07 . 2009-12-09 10:21 2065280 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-03-01 15:07 . 2009-12-09 10:21 2188160 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-01 15:07 . 2009-12-09 10:21 2144768 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-01 15:07 . 2009-12-09 10:21 2022912 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-28 20:36 . 2004-08-17 12:49 33792 -c--a-w- c:\windows\system32\dllcache\lmmib2.dll
2010-02-28 20:35 . 2004-08-17 12:49 24064 -c--a-w- c:\windows\system32\dllcache\compfilt.dll
2010-02-28 20:27 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-02-28 20:20 . 2001-10-25 13:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-02-28 20:20 . 2001-10-25 13:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-02-28 20:20 . 2001-10-25 13:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-02-28 20:20 . 2001-10-25 13:00 13312 ----a-w- c:\windows\system32\irclass.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 20:45 . 2010-01-31 23:58 860672 ----a-w- c:\windows\system32\drivers\nycqcp.sys
2010-03-04 06:15 . 2001-10-25 13:00 46394 ----a-w- c:\windows\system32\perfc005.dat
2010-03-04 06:15 . 2001-10-25 13:00 310228 ----a-w- c:\windows\system32\perfh005.dat
2010-03-01 07:58 . 2004-08-03 20:14 212736 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-02-28 20:32 . 2009-10-18 13:05 22916 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-31 23:59 . 2010-01-31 23:59 158 ----a-w- c:\windows\tTMiUO.bat
2010-01-31 23:58 . 2010-01-31 23:58 59961 ----a-w- C:\rjdnox.exe
2010-01-31 23:58 . 2010-01-31 23:58 59961 --sha-r- c:\windows\system32\windef.exe
2010-01-31 23:58 . 2010-01-31 23:58 188928 ----a-w- c:\windows\aOdMgh.exe
2010-01-31 23:58 . 2010-01-31 23:58 59961 ----a-w- C:\asag.exe
2009-12-31 15:06 . 2006-11-08 11:30 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

------- Sigcheck -------

[-] 2010-03-01 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-03-01 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-13 . 558635D3AF1C7546D26067D5D9B6959E . 182656 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\ndis.sys

[-] 2008-04-14 . 56A6034E7764E23D9114223EB3523925 . 1571840 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\sfcfiles.dll
[-] 2006-11-08 . 84F5FA7480E5680B8DD5A90CE7D8CA73 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-17 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16. 11. 2009 9:03 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [16. 11. 2009 9:06 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16. 11. 2009 9:04 735960]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [5. 8. 2008 19:10 1684736]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - nycqcp
.
.
------- Doplňkový sken -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Janka S\Data aplikací\Mozilla\Firefox\Profiles\jjt0p7o7.default\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKU-Default-RunOnce-nltide3 - rundll32 advpack.dll
HKU-Default-RunOnce-nltide2 - rundll32 advpack.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 21:43
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x89B28580]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9dad7b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Atheros AR928X Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0x89b10bc3
PacketIndicateHandler -> NDIS.sys @ 0x89afea0b
SendHandler -> NDIS.sys @ 0x89b12b31
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nycqcp]

.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(4644)
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2010-03-23 21:46:00 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-23 20:45

Před spuštěním: Volných bajtů: 10 625 486 848
Po spuštění: Volných bajtů: 12 145 672 192

- - End Of File - - 580D587CBC7B0118D1E28AB3E8694BD2

[motji]

Z přílohy si stahněte soubor v raru, rozbalte ho a uložte přímo na disk C, tak aby cesta byla c:\ndis.sys

Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka

Kód: Vybrat vše

KillAll::

Rootkit::
c:\windows\system32\drivers\nycqcp.sys
c:\windows\tTMiUO.bat
C:\rjdnox.exe
c:\windows\system32\windef.exe
c:\windows\aOdMgh.exe
C:\asag.exe

Driver::
nycqcp

FCOPY::
c:\ndis.sys | c:\windows\system32\drivers\ndis.sys
c:\ndis.sys | c:\windows\system32\dllcache\ndis.sys

-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:




-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

[nessay]

jsem to ale vul, zabudol som nahrat subor ndis do C: mozes mi poradit co s tym treba spravit??

hodim ten log.

ComboFix 10-03-19.08 - Janka S . 03. 2010 22:13:35.2.2 - x86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2039.1817 [GMT 1:00]
Spuštěný z: c:\documents and settings\Janka S\Plocha\potvora.com.exe
Použité ovládací přepínače :: c:\documents and settings\Janka S\Plocha\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NYCQCP
-------\Service_nycqcp


((((((((((((((((((((((((( Soubory vytvořené od 2010-02-23 do 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-23 20:34 . 2010-03-23 20:46 -------- d-----w- C:\potvora.com
2010-03-21 17:19 . 2010-03-21 17:19 231352 ----a-w- C:\UsbFix_Upload_Me_JANKA.zip
2010-03-21 16:48 . 2010-03-21 17:19 -------- d-----w- C:\UsbFix
2010-03-21 16:46 . 2010-03-21 16:47 -------- d-----w- C:\rsit
2010-03-21 16:46 . 2010-03-21 16:46 -------- d-----w- c:\program files\trend micro
2010-03-14 11:14 . 2010-03-14 19:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-13 16:22 . 2010-03-13 16:22 -------- d-----r- c:\documents and settings\LocalService\Oblíbené položky
2010-03-10 20:34 . 2010-03-10 20:34 -------- d-----w- c:\program files\Opera
2010-03-08 22:36 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-01 15:17 . 2010-03-01 15:17 -------- d-----w- c:\program files\ESET
2010-03-01 15:09 . 2008-06-14 18:00 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-01 15:08 . 2009-12-04 13:37 456832 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-01 15:07 . 2009-12-09 10:21 2065280 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-03-01 15:07 . 2009-12-09 10:21 2188160 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-01 15:07 . 2009-12-09 10:21 2144768 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-01 15:07 . 2009-12-09 10:21 2022912 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-28 20:36 . 2004-08-17 12:49 33792 -c--a-w- c:\windows\system32\dllcache\lmmib2.dll
2010-02-28 20:35 . 2004-08-17 12:49 24064 -c--a-w- c:\windows\system32\dllcache\compfilt.dll
2010-02-28 20:27 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-02-28 20:20 . 2001-10-25 13:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-02-28 20:20 . 2001-10-25 13:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-02-28 20:20 . 2001-10-25 13:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-02-28 20:20 . 2001-10-25 13:00 13312 ----a-w- c:\windows\system32\irclass.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 06:15 . 2001-10-25 13:00 46394 ----a-w- c:\windows\system32\perfc005.dat
2010-03-04 06:15 . 2001-10-25 13:00 310228 ----a-w- c:\windows\system32\perfh005.dat
2010-03-01 07:58 . 2004-08-03 20:14 212736 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-02-28 20:32 . 2009-10-18 13:05 22916 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-31 15:06 . 2006-11-08 11:30 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

------- Sigcheck -------

[-] 2010-03-01 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-03-01 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-13 . 558635D3AF1C7546D26067D5D9B6959E . 182656 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\ndis.sys

[-] 2008-04-14 . 56A6034E7764E23D9114223EB3523925 . 1571840 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\sfcfiles.dll
[-] 2006-11-08 . 84F5FA7480E5680B8DD5A90CE7D8CA73 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-17 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16. 11. 2009 9:03 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [16. 11. 2009 9:06 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16. 11. 2009 9:04 735960]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [5. 8. 2008 19:10 1684736]
.
.
------- Doplňkový sken -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Janka S\Data aplikací\Mozilla\Firefox\Profiles\jjt0p7o7.default\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 22:20
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x89B2B580]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9dad7b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Atheros AR928X Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0x89b13bc3
PacketIndicateHandler -> NDIS.sys @ 0x89b01a0b
SendHandler -> NDIS.sys @ 0x89b15b31
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(4352)
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2010-03-23 22:22:37 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-23 21:22
ComboFix2.txt 2010-03-23 20:46

Před spuštěním: Volných bajtů: 12 154 322 944
Po spuštění: Volných bajtů: 12 171 599 872

- - End Of File - - 42962AC59EE8E1A68D1BB1C73677401F

[motji]

nahrajte ho a použijte tento skript

Kód: Vybrat vše

FCOPY::
c:\ndis.sys | c:\windows\system32\drivers\ndis.sys
c:\ndis.sys | c:\windows\system32\dllcache\ndis.sys

[nessay]

Ale mne nejde ndis prekopirovat ani priamo rozbalit na C:

[motji]

Tady je nezabalený v raru http://leteckaposta.cz/236119095
Zkuste ho stahnout v nouzovém režimu

[nessay]

subor ndis mi tam vobec nechce skopirovat. aj ked som ho dal ulozit tak mi pisalo ze nemozem, lebo na to nemam opravnenie. podarilo sa mi tam skopirovat jedine subor ndis(2).sys ale ndis.sys nechcelo. nechcelo ho ani premenovat ked uz bol na C:
navyse pri prihlasovani do nudzoveho rezimu mi vobec neda na vyber medzi uzivatelom a administratorom.. hned odo mna pyta heslo od Janka S, ktory je tu dany ako spravce. tak ci to nahodou nie je kvoli tomu

[motji]

Patrně ho vir blokuje


Já už dnes končím, pokračování zítra, tady u toho počítače se ještě zapotíme .
Pokud budete mít čas, můžete udělat sken AVPtoolem,


Stahněte z mého podpisu AVPTOOl http://www.viry.cz/forum/viewtopic.php?f=29&t=58179

-Podle návodu nainstalujte a proveďte sken
-co najde nechejte léčit, mazat
-sken může trvat několik hodin
-vložte zde log z výsledky


Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, klikněte na Save a tím si uložíte log,který sem vložíte

-Podle návodu v odkazu provedete druhý sken a log sem také vložíte.



Tento počítač zatím odpojte od netu, předtím si ještě stahněte Gmer
//editováno

[nessay]

Autoscan: completed 10 minutes ago (events: 62, objects: 81401, time: 00:22:15)
25. 3. 2010 20:22:08 Task started
25. 3. 2010 20:23:28 Detected: Rootkit.Win32.Agent.beko C:\WINDOWS\system32\drivers\KGootkit.sys
25. 3. 2010 20:51:57 Task stopped
25. 3. 2010 20:59:46 Task started
25. 3. 2010 21:00:58 Detected: Packed.Win32.Krap.ao C:\UsbFix_Upload_Me_JANKA.zip/UsbFix_Upload_Me/147.exe.UsbFix
25. 3. 2010 21:00:59 Deleted: Packed.Win32.Krap.ao C:\UsbFix_Upload_Me_JANKA.zip/UsbFix_Upload_Me/147.exe.UsbFix
25. 3. 2010 21:01:00 Detected: Trojan-Dropper.Win32.Binder.agr C:\UsbFix_Upload_Me_JANKA.zip/UsbFix_Upload_Me/autorun.exe.UsbFix
25. 3. 2010 21:01:00 Deleted: Trojan-Dropper.Win32.Binder.agr C:\UsbFix_Upload_Me_JANKA.zip/UsbFix_Upload_Me/autorun.exe.UsbFix
25. 3. 2010 21:01:34 Detected: Trojan.Win32.Pasmu.hl C:\Documents and Settings\Janka S\Local Settings\Temporary Internet Files\Content.IE5\7N04HCD2\protod[1].exe/FSG
25. 3. 2010 21:01:35 Detected: HEUR:Trojan-Downloader.Script.Generic C:\Documents and Settings\Janka S\Local Settings\Temporary Internet Files\Content.IE5\7N04HCD2\thread1[1].script
25. 3. 2010 21:01:35 Detected: Trojan.Win32.Pasmu.hl C:\Documents and Settings\Janka S\Local Settings\Temporary Internet Files\Content.IE5\C7K3GTU7\protod[1].exe/FSG
25. 3. 2010 21:01:53 Detected: HEUR:Trojan-Downloader.Script.Generic C:\Documents and Settings\Janka S\Local Settings\Temporary Internet Files\Content.IE5\CP5C4T3G\thread1[1].script
25. 3. 2010 21:01:53 Cannot be deleted: Trojan.Win32.Pasmu.hl C:\Documents and Settings\Janka S\Local Settings\Temporary Internet Files\Content.IE5\7N04HCD2\protod[1].exe Object not found
25. 3. 2010 21:01:54 Cannot be deleted: Trojan.Win32.Pasmu.hl C:\Documents and Settings\Janka S\Local Settings\Temporary Internet Files\Content.IE5\C7K3GTU7\protod[1].exe Object not found
25. 3. 2010 21:12:45 Detected: Trojan-Downloader.Win32.Genome.agsc C:\Qoobox\Quarantine\C\asag.exe.vir/PE_Patch.UPX/UPX
25. 3. 2010 21:12:45 Detected: Trojan-Downloader.Win32.Genome.agsc C:\Qoobox\Quarantine\C\rjdnox.exe.vir/PE_Patch.UPX/UPX
25. 3. 2010 21:12:46 Detected: Trojan.Win32.FakeMS.bea C:\Qoobox\Quarantine\C\WINDOWS\aOdMgh.exe.vir/ASPack
25. 3. 2010 21:13:07 Cannot be deleted: Trojan-Downloader.Win32.Genome.agsc C:\Qoobox\Quarantine\C\rjdnox.exe.vir Object not found
25. 3. 2010 21:13:07 Detected: Trojan-Downloader.Win32.CodecPack.knx C:\Qoobox\Quarantine\C\WINDOWS\ccdrive32.exe.vir
25. 3. 2010 21:13:08 Cannot be deleted: Trojan.Win32.FakeMS.bea C:\Qoobox\Quarantine\C\WINDOWS\aOdMgh.exe.vir Object not found
25. 3. 2010 21:13:08 Cannot be deleted: Trojan-Downloader.Win32.Genome.agsc C:\Qoobox\Quarantine\C\asag.exe.vir Object not found
25. 3. 2010 21:13:08 Detected: Backdoor.Win32.HareBot.aqh C:\Qoobox\Quarantine\C\WINDOWS\system32\imPlayok.exe.vir
25. 3. 2010 21:13:08 Detected: Trojan.Win32.Zapchast.aix C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdsock.dll.vir
25. 3. 2010 21:13:08 Cannot be deleted: Trojan-Downloader.Win32.CodecPack.knx C:\Qoobox\Quarantine\C\WINDOWS\ccdrive32.exe.vir Object not found
25. 3. 2010 21:13:09 Detected: Trojan.Win32.Zapchast.aix C:\Qoobox\Quarantine\C\WINDOWS\system32\mshlps.dll.vir
25. 3. 2010 21:13:09 Deleted: Trojan.Win32.Zapchast.aix C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdsock.dll.vir
25. 3. 2010 21:13:09 Deleted: Trojan.Win32.Zapchast.aix C:\Qoobox\Quarantine\C\WINDOWS\system32\mshlps.dll.vir
25. 3. 2010 21:13:09 Cannot be deleted: Backdoor.Win32.HareBot.aqh C:\Qoobox\Quarantine\C\WINDOWS\system32\imPlayok.exe.vir Object not found
25. 3. 2010 21:13:09 Detected: Trojan-Downloader.Win32.Genome.agsc C:\Qoobox\Quarantine\C\WINDOWS\system32\windef.exe.vir/PE_Patch.UPX/UPX
25. 3. 2010 21:13:09 Detected: Rootkit.Win32.Agent.beko C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\KGootkit.sys.vir
25. 3. 2010 21:13:09 Detected: Rootkit.Win32.Agent.bdkq C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\nycqcp.sys.vir
25. 3. 2010 21:13:10 Cannot be deleted: Trojan-Downloader.Win32.Genome.agsc C:\Qoobox\Quarantine\C\WINDOWS\system32\windef.exe.vir Object not found
25. 3. 2010 21:13:10 Cannot be deleted: Rootkit.Win32.Agent.beko C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\KGootkit.sys.vir Object not found
25. 3. 2010 21:13:11 Deleted: Rootkit.Win32.Agent.bdkq C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\nycqcp.sys.vir
25. 3. 2010 21:13:11 Detected: Trojan.Win32.Vilsel.rqe C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP0\A0000005.exe
25. 3. 2010 21:13:11 Detected: Trojan.Win32.Vilsel.rqe C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP0\A0000006.exe
25. 3. 2010 21:13:12 Cannot be deleted: Trojan.Win32.Vilsel.rqe C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP0\A0000006.exe Object not found
25. 3. 2010 21:13:12 Cannot be deleted: Trojan.Win32.Vilsel.rqe C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP0\A0000005.exe Object not found
25. 3. 2010 21:13:27 Detected: Trojan.Win32.Zapchast.aix C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002202.dll
25. 3. 2010 21:13:27 Detected: Backdoor.Win32.HareBot.aqh C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002201.exe
25. 3. 2010 21:13:27 Deleted: Trojan.Win32.Zapchast.aix C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002202.dll
25. 3. 2010 21:13:27 Detected: Trojan.Win32.Zapchast.aix C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002203.dll
25. 3. 2010 21:13:27 Deleted: Trojan.Win32.Zapchast.aix C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002203.dll
25. 3. 2010 21:13:28 Cannot be deleted: Backdoor.Win32.HareBot.aqh C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002201.exe Object not found
25. 3. 2010 21:13:32 Detected: Trojan-Downloader.Win32.Genome.agsc C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002312.exe/PE_Patch.UPX/UPX
25. 3. 2010 21:13:32 Detected: Trojan.Win32.FakeMS.bea C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002314.exe/ASPack
25. 3. 2010 21:13:32 Detected: Trojan-Downloader.Win32.Genome.agsc C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002313.exe/PE_Patch.UPX/UPX
25. 3. 2010 21:13:33 Cannot be deleted: Trojan-Downloader.Win32.Genome.agsc C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002312.exe Object not found
25. 3. 2010 21:13:33 Detected: Rootkit.Win32.Agent.bdkq C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002315.sys
25. 3. 2010 21:13:34 Cannot be deleted: Trojan.Win32.FakeMS.bea C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002314.exe Object not found
25. 3. 2010 21:13:34 Detected: Trojan-Downloader.Win32.Genome.agsc C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002316.exe/PE_Patch.UPX/UPX
25. 3. 2010 21:13:34 Deleted: Rootkit.Win32.Agent.bdkq C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002315.sys
25. 3. 2010 21:13:34 Cannot be deleted: Trojan-Downloader.Win32.Genome.agsc C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002313.exe Object not found
25. 3. 2010 21:13:35 Cannot be deleted: Trojan-Downloader.Win32.Genome.agsc C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002316.exe Object not found
25. 3. 2010 21:13:37 Detected: Rootkit.Win32.Agent.beko C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002491.sys
25. 3. 2010 21:13:39 Cannot be deleted: Rootkit.Win32.Agent.beko C:\System Volume Information\_restore{7E7EE45D-3D50-4375-9D5E-95BE09B47953}\RP19\A0002491.sys Object not found
25. 3. 2010 21:14:26 Detected: Packed.Win32.Krap.ao C:\UsbFix\Quarantine\C\Documents and Settings\Janka S\LOCALS~1\Temp\147.exe.UsbFix
25. 3. 2010 21:14:43 Deleted: Packed.Win32.Krap.ao C:\UsbFix\Quarantine\C\Documents and Settings\Janka S\LOCALS~1\Temp\147.exe.UsbFix
25. 3. 2010 21:19:24 Detected: Trojan.Win32.Pasmu.hl C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\01AVO1IJ\protod[1].exe/FSG
25. 3. 2010 21:19:41 Cannot be deleted: Trojan.Win32.Pasmu.hl C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\01AVO1IJ\protod[1].exe Object not found
25. 3. 2010 21:19:52 Detected: HEUR:Trojan-Downloader.Script.Generic C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G1QJS5MF\thread1[1].script
25. 3. 2010 21:22:01 Task completed
Disinfect active threats: completed 38 minutes ago (events: 10, objects: 1739, time: 00:02:00)
25. 3. 2010 20:51:57 Task started
25. 3. 2010 20:51:58 Detected: Rootkit.Win32.Agent.beko C:\WINDOWS\system32\drivers\KGootkit.sys
25. 3. 2010 20:52:23 Will be deleted on system restart: Rootkit.Win32.Agent.beko C:\WINDOWS\system32\drivers\KGootkit.sys
25. 3. 2010 20:53:13 Detected: Virus.Win32.Protector.e C:\WINDOWS\system32\drivers\ndis.sys
25. 3. 2010 20:53:13 Detected: Virus.Win32.Protector.e C:\WINDOWS\system32\drivers\ndis.sys
25. 3. 2010 20:53:14 Disinfected: Virus.Win32.Protector.e C:\WINDOWS\system32\drivers\ndis.sys
25. 3. 2010 20:53:14 Will be disinfected on system restart: Virus.Win32.Protector.e C:\WINDOWS\system32\drivers\ndis.sys
25. 3. 2010 20:53:55 Detected: http://www.viruslist.com/en/advisories/ ... nerability C:\WINDOWS\system32\drivers\etc\hosts
25. 3. 2010 20:53:56 Disinfected: http://www.viruslist.com/en/advisories/ ... nerability C:\WINDOWS\system32\drivers\etc\hosts
25. 3. 2010 20:53:57 Task completed

[nessay]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-25 21:36:57
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\JANKAS~1\LOCALS~1\Temp\uxtdypoc.sys


---- System - GMER 1.0.15 ----

Code 89D85580 pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\NDIS \Device\Ndis [89D04982] NDIS.sys[.reloc]

---- EOF - GMER 1.0.15 ----

[nessay]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-25 22:22:20
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\JANKAS~1\LOCALS~1\Temp\uxtdypoc.sys


---- System - GMER 1.0.15 ----

SSDT 88D24A70 ZwAssignProcessToJobObject
SSDT 88D255F0 ZwDebugActiveProcess
SSDT 88D25020 ZwDuplicateObject
SSDT 88D241B0 ZwOpenProcess
SSDT 88D244B0 ZwOpenThread
SSDT 88D24EB0 ZwProtectVirtualMemory
SSDT 88D24D50 ZwSetContextThread
SSDT 88D24BD0 ZwSetInformationThread
SSDT 88D21A90 ZwSetSecurityObject
SSDT 88D24910 ZwSuspendProcess
SSDT 88D247B0 ZwSuspendThread
SSDT 88D24340 ZwTerminateProcess
SSDT 88D24640 ZwTerminateThread
SSDT 88D25440 ZwWriteVirtualMemory

Code 89D85580 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x89CFD280, 0x32C2A, 0xE0000060]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1452] kernel32.dll!SetUnhandledExceptionFilter 7C844915 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\NDIS \Device\Ndis [89D04982] NDIS.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\ndis.sys (size mismatch) 182656/182912 bytes executable

---- EOF - GMER 1.0.15 ----

[motji]

Už Vám šel ten ndis.syszkopírovat na disk C? Případně kde ho ted máte? Máte ho v raru nebo normálně někde ve složce, upravila bych cestu k němu.

[nessay]

nie, aj tak mi ho nechce skopirovat.. ani v nudzovom rezime
nachadza sa v priecinku C:\Documents and Settings\Janka S\Dokumenty\Preberanie

chcem sa opytat, je bezpecne pouzivat virtualnu mechaniku ako je Deamon??
kedze som ste sa na to pytala ci ho pouzivam a mal som si ho odstranit..