Problém s AVG a MBAM

[Rudy]

Zkuste ten IceSword spustit v nouz. režimu, případně zkuste jiný Antirootkit, třeba Rootkit Repeal: http://www.viry.cz/forum/viewtopic.php?f=29&t=86010 .

[tomdvorak]

IceSword neběží ani v nouzovém režimu.
RootRepeal běží. Které skeny mám spustit?

[Rudy]

Drivers, processes a hidden services.

[tomdvorak]

Tady jsou logy Drivers a Proceses. Žádné Hidden Services program nenašel.
drivers:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/04/11 18:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF747B000 Size: 96512 File Visible: No Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF75A8000 Size: 188288 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2191360 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB15CB000 Size: 138496 File Visible: - Signed: -
Status: -

Name: ALCXSENS.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXSENS.SYS
Address: 0xBA25F000 Size: 400384 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xBA2E5000 Size: 616192 File Visible: - Signed: -
Status: -

Name: amdk7.sys
Image Path: C:\WINDOWS\system32\DRIVERS\amdk7.sys
Address: 0xBAFC8000 Size: 41600 File Visible: - Signed: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA0D000 Size: 212992 File Visible: - Signed: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D6000 Size: 225280 File Visible: - Signed: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xBA3EB000 Size: 1331200 File Visible: - Signed: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFA76000 Size: 2367488 File Visible: - Signed: -
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA41000 Size: 217088 File Visible: - Signed: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFCB8000 Size: 643072 File Visible: - Signed: -
Status: -

Name: atksgt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Address: 0xAEFB5000 Size: 271360 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7A93000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xB146B000 Size: 328576 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF774F000 Size: 21120 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xAF3E7000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBAFA8000 Size: 62976 File Visible: - Signed: -
Status: -

Name: ckldrv.sys
Image Path: C:\WINDOWS\system32\ckldrv.sys
Address: 0xF7947000 Size: 13984 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7637000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7627000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7493000 Size: 153856 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF798D000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBAF68000 Size: 61440 File Visible: - Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB9809000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C4000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7AA3000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB141F000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF77E7000 Size: 27392 File Visible: - Signed: -
Status: -

Name: fetnd5bv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
Address: 0xBAF58000 Size: 43520 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF7557000 Size: 44544 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF780F000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF7443000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79B9000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74B9000 Size: 125184 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xBAFF4000 Size: 9472 File Visible: - Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7A50000 Size: 1664 File Visible: No Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF7537000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF781F000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xBA18F000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xAE609000 Size: 265728 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBAF88000 Size: 52096 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBAFB8000 Size: 42112 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB14BC000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB166E000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75F7000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF77DF000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xBA3B4000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF741A000 Size: 92928 File Visible: - Signed: -
Status: -

Name: lirsgt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Address: 0xF7817000 Size: 18048 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79BB000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7807000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xBA18B000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7607000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xAF00A000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB14E2000 Size: 455424 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF773F000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7697000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBAF2C000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF782B000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF786A000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBAFE8000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xAF2B3000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xBA1A8000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF76B7000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF7567000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB15ED000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7747000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7B52000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2191360 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xB17B8000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nxsIO32.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nxsIO32.sys
Address: 0xF7A9F000 Size: 2208 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xBA37C000 Size: 80000 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF79CB000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7597000 Size: 68736 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2191360 File Visible: - Signed: -
Status: -

Name: point32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\point32.sys
Address: 0xF7767000 Size: 21760 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xBA2C1000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PQNTDrv.SYS
Image Path: C:\WINDOWS\System32\Drivers\PQNTDrv.SYS
Address: 0xF7ABB000 Size: 2688 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xBA197000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF77F7000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF792F000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBAF38000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF7677000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF7687000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF77FF000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2191360 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB157A000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79BD000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xBA13F000 Size: 196224 File Visible: - Signed: -
Status: -

Name: RDPWD.SYS
Image Path: C:\WINDOWS\System32\Drivers\RDPWD.SYS
Address: 0xAE762000 Size: 139520 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBAF98000 Size: 58496 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1771000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xF7463000 Size: 98304 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xAEEFD000 Size: 40960 File Visible: - Signed: -
Status: -

Name: SENTINEL.SYS
Image Path: C:\WINDOWS\System32\Drivers\SENTINEL.SYS
Address: 0xAEFF8000 Size: 73216 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBAFEC000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xBAF78000 Size: 64256 File Visible: - Signed: -
Status: -

Name: sfdrv01.sys
Image Path: sfdrv01.sys
Address: 0xF7845000 Size: 73728 File Visible: - Signed: -
Status: -

Name: sfhlp02.sys
Image Path: sfhlp02.sys
Address: 0xF7717000 Size: 32768 File Visible: - Signed: -
Status: -

Name: sfvfs02.sys
Image Path: sfvfs02.sys
Address: 0xF7857000 Size: 77824 File Visible: - Signed: -
Status: -

Name: sojubus.sys
Image Path: sojubus.sys
Address: 0xF74D8000 Size: 123520 File Visible: - Signed: -
Status: -

Name: sojuscsi.sys
Image Path: sojuscsi.sys
Address: 0xF798F000 Size: 5504 File Visible: - Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF7A4F000 Size: 4096 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7431000 Size: 73344 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xAEE6E000 Size: 353792 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF79B5000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xAEB7E000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB1615000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF77EF000 Size: 20480 File Visible: - Signed: -
Status: -

Name: TDTCP.SYS
Image Path: C:\WINDOWS\System32\Drivers\TDTCP.SYS
Address: 0xF7787000 Size: 21760 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF76A7000 Size: 40704 File Visible: - Signed: -
Status: -

Name: uagp35.sys
Image Path: uagp35.sys
Address: 0xF7647000 Size: 44672 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xBA0E1000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF79B7000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF77D7000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF76F7000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xBA390000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Address: 0xF776F000 Size: 25856 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF77CF000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7737000 Size: 20992 File Visible: - Signed: -
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xF798B000 Size: 5376 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xBA3D7000 Size: 81920 File Visible: - Signed: -
Status: -

Name: vmm.sys
Image Path: C:\WINDOWS\system32\drivers\vmm.sys
Address: 0xB15A5000 Size: 155648 File Visible: - Signed: -
Status: -

Name: VMNetSrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
Address: 0xBAF48000 Size: 57344 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7617000 Size: 52480 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF7547000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF778F000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xAEAC1000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2191360 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF7407000 Size: 77568 File Visible: - Signed: -
Status: -

processes:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/04/11 18:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\Program Files\TotalCommander\TOTALCMD.EXE
PID: 272 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 320 Status: -

Path: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 380 Status: -

Path: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 408 Status: -

Path: C:\Documents and Settings\Dvořák\Plocha\RootRepeal.exe
PID: 416 Status: -

Path: C:\WINDOWS\system32\inetsrv\inetinfo.exe
PID: 496 Status: -

Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 696 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 784 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 876 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 904 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 956 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 968 Status: -

Path: C:\WINDOWS\system32\ati2evxx.exe
PID: 1148 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1168 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1332 Status: -

Path: C:\WINDOWS\system32\wscntfy.exe
PID: 1388 Status: -

Path: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 1400 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1456 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1500 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1684 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1868 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 2008 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 2172 Status: -

Path: C:\WINDOWS\system32\ati2evxx.exe
PID: 2560 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 2668 Status: -

Path: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PID: 3020 Status: -

Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\fpdisp5a.exe
PID: 3052 Status: -

Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\fppdis2a.exe
PID: 3076 Status: -

Path: C:\WINDOWS\SOUNDMAN.EXE
PID: 3112 Status: -

Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
PID: 3144 Status: -

Path: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 3168 Status: -

Path: C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PID: 3204 Status: -

Path: C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
PID: 3248 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 3288 Status: -

Path: C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
PID: 3472 Status: -

Path: C:\Program Files\SpeedFan\speedfan.exe
PID: 3484 Status: -

Path: C:\WINDOWS\system32\taskmgr.exe
PID: 3744 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 3800 Status: -

Path: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 3952 Status: -

[Rudy]

Rootkit tam žádný nevidím. Ještě zkuste sken Stealth Process.

[tomdvorak]

tady je:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/04/11 21:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Stealth Objects
-------------------
Object: Hidden Code [Driver: sojuscsi, IRP_MJ_CREATE]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_CLOSE]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_READ]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_WRITE]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_QUERY_EA]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_SET_EA]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_CLEANUP]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_POWER]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: sojuscsi, IRP_MJ_PNP]
Process: System Address: 0x89eed800 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89ea7c18 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89ea7f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x89ea7f00 Size: 99

[Rudy]

Také nic. Zkuste AVG reinstalovat.

[tomdvorak]

Odinstaloval jsem verzi 8.5 a nainstaloval 9.0 a je to pořád stejné

[Rudy]

OK. Zkuste ještě GMER: http://www.viry.cz/forum/viewtopic.php?f=29&t=62878 a dejte logy.

[tomdvorak]

Gmer chvíli běží a pak spadne. Pak nejde spustit žádná aplikace. Při vypínání systému se objeví okno s informací, že systém musí být restartován, protože služba vzdálené volání procedur (RPC) byla nenadále ukončena. Systém se ale nerestartuje, ale končí modrou obrazovkou s chybou c000021a. Po resetování počítač najede normálně. Stejně se to celé chová i v nouzovém režimu.

[tomdvorak]

Odpoledne se u mě zastavil bratránek, trochu se v počítači "povrtal" a už všechno funguje. Říkal něco o mbrfix, smazal tempy a vypnul nějaké ovladače. Pro jistotu sem dávám logy z GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-12 16:50:22
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\DVOK~1\LOCALS~1\Temp\uxrirpod.sys


---- System - GMER 1.0.15 ----

SSDT spbg.sys ZwEnumerateKey [0xF74F7CA2]
SSDT spbg.sys ZwEnumerateValueKey [0xF74F8030]

---- Devices - GMER 1.0.15 ----

Device 8A3D11F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 89CED500
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv122.sys

---- EOF - GMER 1.0.15 ----


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-12 18:19:24
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\DVOK~1\LOCALS~1\Temp\uxrirpod.sys


---- System - GMER 1.0.15 ----

SSDT spbg.sys ZwEnumerateKey [0xF74F7CA2]
SSDT spbg.sys ZwEnumerateValueKey [0xF74F8030]
SSDT spbg.sys ZwOpenKey [0xF74DA0C0]
SSDT spbg.sys ZwQueryKey [0xF74F8108]
SSDT spbg.sys ZwQueryValueKey [0xF74F7F88]
SSDT spbg.sys ZwSetValueKey [0xF74F819A]

INT 0x62 ? 8A3D2BF8
INT 0x63 ? 8A12DBF8
INT 0x63 ? 8A12DBF8
INT 0x63 ? 8A12DBF8
INT 0x63 ? 8A12DBF8
INT 0x63 ? 8A12DBF8
INT 0x63 ? 8A12DBF8
INT 0x82 ? 8A3D2BF8

---- Kernel code sections - GMER 1.0.15 ----

? spbg.sys Systém nemůže nalézt uvedený soubor. !
.text USBPORT.SYS!DllUnload BA1348AC 5 Bytes JMP 8A12D1D8
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xBA045900]
.text HTTP.sys AE26331E 3 Bytes [AB, 27, AE] {STOSD ; DAA ; SCASB }
.text HTTP.sys AE26334D 3 Bytes [AB, 27, AE] {STOSD ; DAA ; SCASB }
.text HTTP.sys AE263373 3 Bytes [A8, 27, AE] {TEST AL, 0x27; SCASB }
.text HTTP.sys AE2633AE 3 Bytes [A8, 27, AE] {TEST AL, 0x27; SCASB }
.text HTTP.sys AE263405 3 Bytes [A8, 27, AE] {TEST AL, 0x27; SCASB }
.text ...
.text audlk6tu.SYS ADE47384 1 Byte [20]
.text audlk6tu.SYS ADE47384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text audlk6tu.SYS ADE473AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text audlk6tu.SYS ADE473C4 3 Bytes [00, 00, 00]
.text audlk6tu.SYS ADE473C9 1 Byte [00]
.text ...
? System32\Drivers\IsDrv122.sys Systém nemůže nalézt uvedenou cestu. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2924] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A3672D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F750A93C] spbg.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F750A990] spbg.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74DB040] spbg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74DB13C] spbg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74DB0BE] spbg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74DB7FC] spbg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74DB6D2] spbg.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A12D2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74EAD92] spbg.sys
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlInitUnicodeString] 000000A5
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!swprintf] 000000E5
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeSetEvent] 000000F1
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 00000071
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 000000D8
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00000031
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmFreeMappingAddress] 00000015
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 00000004
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 000000C7
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmUnmapIoSpace] 00000023
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 000000C3
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IofCompleteRequest] 00000018
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 00000096
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IofCallDriver] 00000005
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 0000009A
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 00000007
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoConnectInterrupt] 00000012
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoDetachDevice] 00000080
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeWaitForSingleObject] 000000E2
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeInitializeEvent] 000000EB
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeCancelTimer] 00000027
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 000000B2
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlInitAnsiString] 00000075
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 00000009
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoQueueWorkItem] 00000083
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmMapIoSpace] 0000002C
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0000001A
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoReportDetectedDevice] 0000001B
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0000006E
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 0000005A
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!NlsMbCodePageTag] 000000A0
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!PoRequestPowerIrp] 00000052
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 0000003B
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 000000D6
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!sprintf] 000000B3
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 00000029
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!ObfDereferenceObject] 000000E3
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0000002F
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 00000084
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!ZwClose] 00000053
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 000000D1
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 00000000
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 000000ED
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 00000020
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoCreateDevice] 000000FC
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 000000B1
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0000005B
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 0000006A
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!ZwOpenKey] 000000CB
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 000000BE
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoStartTimer] 00000039
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeInitializeTimer] 0000004A
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoInitializeTimer] 0000004C
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeInitializeDpc] 00000058
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeInitializeSpinLock] 000000CF
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoInitializeIrp] 000000D0
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!ZwCreateKey] 000000EF
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 000000AA
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 000000FB
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!ZwSetValueKey] 00000043
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeInsertQueueDpc] 0000004D
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 00000033
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoStartPacket] 00000085
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 00000045
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 000000F9
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoFreeMdl] 00000002
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmUnlockPages] 0000007F
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 00000050
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 0000003C
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 0000009F
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 000000A8
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeSynchronizeExecution] 00000051
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoStartNextPacket] 000000A3
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeBugCheckEx] 00000040
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 0000008F
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeSetTimer] 00000092
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!_allmul] 0000009D
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000038
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!_except_handler3] 000000F5
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!PoSetPowerState] 000000BC
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000B6
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000DA
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 00000021
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!_aulldiv] 00000010
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!strstr] 000000FF
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!_strupr] 000000F3
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeQuerySystemTime] 000000D2
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 000000CD
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!KeTickCount] 0000000C
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 00000013
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoDeleteDevice] 000000EC
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 0000005F
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000097
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoAllocateIrp] 00000044
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoAllocateMdl] 00000017
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 000000C4
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmLockPagableDataSection] 000000A7
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 0000007E
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 0000003D
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!ExFreePoolWithTag] 00000064
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoFreeIrp] 0000005D
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!IoFreeWorkItem] 00000019
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!InitSafeBootMode] 00000073
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!RtlCompareMemory] 00000060
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!PoCallDriver] 00000081
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!memmove] 0000004F
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[ntoskrnl.exe!MmHighestUserAddress] 000000DC
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\audlk6tu.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

---- Devices - GMER 1.0.15 ----

Device 8A3D11F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 89CED500
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\sptd \Device\2330770526 spbg.sys

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv122.sys

Device \Driver\usbuhci \Device\USBPDO-0 8A1ED500
Device \Driver\usbuhci \Device\USBPDO-1 8A1ED500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A3651F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A3651F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A3651F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A3651F8
Device \Driver\usbuhci \Device\USBPDO-2 8A1ED500
Device \Driver\usbuhci \Device\USBPDO-3 8A1ED500
Device \Driver\usbehci \Device\USBPDO-4 8A1F2500

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A3D31F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A3D31F8
Device \Driver\Cdrom \Device\CdRom0 8A13E1F8
Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom4 8A13E1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89D05500
Device \Driver\Cdrom \Device\CdRom6 8A13E1F8
Device \Driver\NetBT \Device\NetbiosSmb 89D05500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8A1ED500
Device \Driver\usbuhci \Device\USBFDO-1 8A1ED500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89D111F8
Device \Driver\usbuhci \Device\USBFDO-2 8A1ED500
Device 89D111F8
Device \Driver\usbuhci \Device\USBFDO-3 8A1ED500
Device \Driver\Ftdisk \Device\FtControl 8A3D31F8
Device \Driver\usbehci \Device\USBFDO-4 8A1F2500
Device \Driver\PCI_PNP4072 \Device\0000007f spbg.sys
Device \Driver\PCI_PNP4072 \Device\0000007f spbg.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{D984CAD8-AF1B-47E7-B4C7-9B03527C52C5} 89D05500
Device \Driver\audlk6tu \Device\Scsi\audlk6tu1 8923A500
Device \Driver\audlk6tu \Device\Scsi\audlk6tu1Port2Path0Target1Lun0 8923A500
Device \Driver\audlk6tu \Device\Scsi\audlk6tu1Port2Path0Target0Lun0 8923A500

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device 892CD1F8
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@EnableDHCP 1
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@IPAddress 0.0.0.0?
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@SubnetMask 0.0.0.0?
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@DefaultGateway
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@DhcpIPAddress 62.245.121.137
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@DhcpSubnetMask 255.255.255.0
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@DhcpServer 62.24.64.33
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@Lease 43200
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@LeaseObtainedTime 1138663121
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@T1 1138684721
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@T2 1138700921
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@LeaseTerminatesTime 1138706321
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@DhcpDefaultGateway 62.245.121.1?
Reg HKLM\SYSTEM\ControlSet001\Services\{38B18B9D-D46A-468F-91A1-F64B6CE60F3D}\Papameters\Tcpip@DhcpSubnetMaskOpt 255.255.255.0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC7 0x3E 0x22 0xA6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x48 0xA9 0xDD 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x53 0x9B 0x70 0x23 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x46 0x37 0x7D 0x25 ...

---- EOF - GMER 1.0.15 ----

[Rudy]

Znovu použijeme ComboFix. Otevřte poznámkový blok a zkopírujte do něj:

Collect::
C:\WINDOWS\system32\DRIVERS\spbg.sys

Driver::
spbg

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

[tomdvorak]

Hotovo. Tady je log z ComboFixu:

ComboFix 10-04-12.01 - Dvořák 12.04.2010 19:00:53.7.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2047.1448 [GMT 2:00]
Spuštěný z: c:\documents and settings\Dvořák\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Dvořák\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-03-12 do 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-12 14:07 . 2008-02-22 11:30 334792 ----a-w- c:\windows\system32\_AxShlEx.dll
2010-04-12 14:02 . 2010-04-12 14:02 716272 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-12 13:07 . 2010-04-12 13:07 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-12 13:07 . 2010-04-12 13:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-12 13:07 . 2010-04-12 13:07 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-12 13:07 . 2010-04-12 13:07 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-12 13:07 . 2010-04-12 13:08 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-11 19:42 . 2010-04-11 19:42 -------- d-----w- c:\program files\AVG
2010-04-11 06:25 . 2010-04-11 06:25 -------- d-----w- c:\program files\IceSword122en
2010-04-10 16:26 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 16:26 . 2010-04-11 06:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 16:26 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 16:13 . 2010-04-10 16:13 -------- d-----w- C:\rsit
2010-03-15 09:55 . 2010-03-31 07:40 -------- d-----w- c:\program files\Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 14:11 . 2005-09-15 14:14 -------- d-----w- c:\program files\SpeedFan
2010-04-12 13:33 . 2005-09-15 13:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-12 09:30 . 2009-08-17 08:25 -------- d-----w- c:\program files\trend micro
2010-04-10 14:31 . 2004-08-18 12:00 577560 ----a-w- c:\windows\system32\perfh005.dat
2010-04-10 14:31 . 2004-08-18 12:00 137182 ----a-w- c:\windows\system32\perfc005.dat
2010-03-11 12:36 . 2004-08-18 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:36 . 2004-08-18 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:36 . 2004-08-18 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-02-16 14:18 . 2010-02-10 13:25 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-02-16 14:17 . 2009-07-10 09:11 -------- d-----w- c:\program files\Microsoft SQL Server
2010-02-16 13:40 . 2009-09-04 12:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-02-15 10:09 . 2010-02-10 13:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-13 15:45 . 2010-02-13 15:45 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-02-13 15:45 . 2010-02-13 15:45 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-12 14:16 . 2009-07-02 16:09 -------- d-----w- c:\program files\DIFX
2010-02-12 10:41 . 2010-02-12 10:41 -------- d-----w- c:\program files\3CXPhone
2005-03-31 21:17 . 2006-01-19 12:02 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhilipsLime"="c:\program files\Philips\Philips Lime Service\bin\LimeAlive.exe" [2006-06-09 159744]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2010-04-12 4608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2003-11-05 380928]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2003-11-10 385024]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 67584]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-09 188416]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Dvoý k\Nabˇdka Start\Programy\Po spuçtŘnˇ\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2005-7-20 2458112]
TaskManager.lnk - c:\windows\system32\taskmgr.exe [2004-8-18 137216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-12 13:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\TotalCommander\\TOTALCMD.EXE"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\WINDOWS\\system32\\dbeng6.exe"=
"d:\\Games\\TTWin95\\TTDLOADW.OVL"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\Games\\AOE2CONQ\\EMPIRES2.EXE"=
"d:\\Games\\Need For Speed 5 - Porsche Unleashed\\Porsche.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"d:\\Games\\OpenTTD\\OpenTTD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WinMX\\Old\\WinMX.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Games\\AOE2CONQ\\age2_x1.exe"=
"c:\\Program Files\\3CXPhone\\3CXPhone.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\CounterPath\\X-Lite Beta\\X-Lite.exe"=
"c:\\Program Files\\SJLabs\\SJphone\\SJphone.exe"=
"c:\\Program Files\\SJphone 1.65\\SJphone.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"d:\\Dokumenty\\Návody\\Linksys_2102_VOIPAdapter\\SIP-ALGDetector\\sipalgdetector_with_ruby\\bin\\ruby.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6699:TCP"= 6699:TCP:*:Disabled:tcp6699
"6257:UDP"= 6257:UDP:*:Disabled:UDP6257
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"500:TCP"= 500:TCP:vpn
"500:UDP"= 500:UDP:vpn
"1723:TCP"= 1723:TCP:vpn
"1723:UDP"= 1723:UDP:vpn1723udp
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12.4.2010 15:07 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12.4.2010 15:07 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12.4.2010 15:07 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12.4.2010 15:07 308064]
R2 nxsIO32;NextSensor Kernel I/O Driver;c:\windows\system32\drivers\nxsIO32.sys [22.5.2007 9:59 2208]
S0 sojuscsi;sojuscsi;c:\windows\system32\DRIVERS\sojuscsi.sys --> c:\windows\system32\DRIVERS\sojuscsi.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12.4.2010 16:02 716272]
S3 adusbser;AnyDATA USB Device for Legacy Serial Communication;c:\windows\system32\drivers\adusbser.sys [12.2.2010 16:16 93440]
S3 COSIDS_TB;COSIDS_TB;d:\progra~1\COSIDS\BIN\TbMux32.exe [2.11.2009 18:55 165376]
S3 ENW9503;ENW-950x RTL-based PCI Fast Ethernet Adapter NT Driver;c:\windows\system32\drivers\ENW9503.sys [13.12.2001 16:15 25434]
S3 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [10.7.2008 18:28 369688]
S3 TVicHW32;TVicHW32;c:\windows\system32\drivers\TVicHW32.sys [31.1.2006 17:40 24656]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [18.8.2004 14:00 14336]
S4 gupdate1c9a7a7a2c8d9be;Google Update Service (gupdate1c9a7a7a2c8d9be);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [10.7.2008 18:28 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10.7.2008 3:49 242712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = proxy.chello.cz:3128
uInternet Settings,ProxyOverride = *.local
Trusted Zone: mfcr.cz
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {512663B9-A1FD-412E-9E4F-42B2B1DB189C} - hxxp://www.gps-buddy.com/benomad/benomad/SVSMapCtrl.cab
DPF: {8D558E41-D24F-441D-A7C9-75B278C326FD} - hxxp://www.kia-hotline.com/OCX/Knowledge.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://81.175.116.204/activex/AMC.cab
DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp03.photoprintit.de/microsite/defaults/activex/IPSUploader.cab
FF - ProfilePath - c:\documents and settings\Dvořák\Data aplikací\Mozilla\Firefox\Profiles\l7yewqnd.default\
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 19:04
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1123561945-854245398-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-04-12 19:06:56
ComboFix-quarantined-files.txt 2010-04-12 17:06
ComboFix2.txt 2010-04-12 12:09

Před spuštěním: 8 159 612 928
Po spuštění: 8 121 597 952

Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - CAB7C9601769190021D7A950F38081F5

[Rudy]

Log vypadá čistý. Nastala nějaká změna?

[tomdvorak]

Všechno funguje, programy běží, avg se aktualizuje.