Win32/Rustock v operacnej pamati

[sarah611]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\windows\system32\dllcache\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[stell]

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex:

Kód: Vybrat vše

KILLALL::
RegLock::
[HKEY_USERS\S-1-5-21-839522115-1563985344-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
RESTORE::
C:\WINDOWS\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\atapi.sys
srpeek::
C:\WINDOWS\system32\drivers\atapi.sys
MBR::

Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :


Po skonceni skenu vlož log čo ComboFix vytvorí

[sarah611]

ComboFix 10-06-25.04 - sarah . 06. 2010 17:18:41.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.421.1029.18.2047.1657 [GMT 2:00]
Running from: c:\documents and settings\sarah\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\sarah\Plocha\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-25 15:41 . 2010-06-26 12:28 -------- d-----w- c:\program files\trend micro
2010-06-25 15:41 . 2010-06-25 15:42 -------- d-----w- C:\rsit
2010-06-25 13:18 . 2004-08-18 12:00 147968 ----a-w- c:\windows\R.COM
2010-06-25 13:18 . 2004-08-18 12:00 137216 ----a-w- c:\windows\system32\T.COM
2010-06-25 13:17 . 2010-06-25 13:17 -------- d-----w- c:\documents and settings\sarah\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-25 15:50 . 2004-08-18 12:00 78210 ----a-w- c:\windows\system32\perfc005.dat
2010-06-25 15:50 . 2004-08-18 12:00 429064 ----a-w- c:\windows\system32\perfh005.dat
2010-05-02 08:27 . 2004-08-18 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-21 12:05 . 2010-04-21 12:05 53144 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-20 05:48 . 2004-08-18 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:38 . 2004-08-18 12:00 663040 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:38 . 2004-08-18 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-03-30 22:16 . 2010-03-30 22:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-30 22:10 . 2010-03-30 22:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

c:\avenger\atapi.sys [x]
[7] CDFE4411A69C224BD1D11B2DA92DAC51 95360 \RP45\A0013193.sys

[7] CDFE4411A69C224BD1D11B2DA92DAC51 95360 c:\combofix\atapi.sys
[7] CDFE4411A69C224BD1D11B2DA92DAC51 95360 \RP43\A0011880.sys

c:\windows\LastGood.Tmp\system32\drivers\atapi.sys [x]
[-] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP43\A0011868.sys

[7] CDFE4411A69C224BD1D11B2DA92DAC51 95360 c:\windows\system32\drivers\atapi.sys
[7] CDFE4411A69C224BD1D11B2DA92DAC51 95360 \RP43\A0011819.sys
[-] 92FB5DE727AB5CB84E120C17C4CF7197 95360 \RP46\A0013302.sys
.
------- Sigcheck -------

[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-03 18:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-06-25_21.34.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-25 13:01 . 2010-06-26 14:36 1548360 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\sarah\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-03-01 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-06-29 225280]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2007-01-16 843776]
"ACU"="c:\program files\Atheros\ACU.exe" [2006-11-17 348249]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"egui"="d:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-17 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2010-02-27 13:26 229376 ----a-w- d:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\ICQ7.0\\ICQ.exe"=
"d:\\Program Files\\ICQ7.0\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Opera\\opera.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [27. 2. 2010 15:08 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [27. 2. 2010 15:08 5248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16. 11. 2009 10:03 108792]
R2 ekrn;ESET Service;d:\program files\ESET\ESET Smart Security\ekrn.exe [16. 11. 2009 10:04 735960]
R3 DCamUSBGene;USB2.0 1.3M PC Cam;c:\windows\system32\drivers\USBGENE.sys [25. 2. 2010 14:35 142720]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [27. 2. 2010 15:17 246520]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-26 17:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll ACPI.sys >>UNKNOWN [0x899F6208]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f57cb8
\Driver\atapi -> 0x899f6208
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582414
ParseProcedure -> ntkrnlpa.exe @ 0x80581554
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582414
ParseProcedure -> ntkrnlpa.exe @ 0x80581554
NDIS: Atheros AR5006X Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xb9e05bc3
PacketIndicateHandler -> NDIS.sys @ 0xb9df3a0b
SendHandler -> NDIS.sys @ 0xb9e07b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1144)
c:\windows\system32\Ati2evxx.dll
d:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\msi.dll
d:\program files\Stardock\Object Desktop\WindowBlinds\tray.dll
d:\program files\Stardock\Object Desktop\IconPackager\iprepair.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\ACEngSvr.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\program files\ATK Hotkey\WDC.exe
.
**************************************************************************
.
Completion time: 2010-06-26 17:26:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-26 15:26
ComboFix2.txt 2010-06-25 21:37
ComboFix3.txt 2010-06-25 16:50

Pre-Run: 862 928 896
Post-Run: 856 489 984

- - End Of File - - 4AF12BADCF116ECF876B60566F808505

[stell]

stiahnes na plochu a rozbalis na plochu.a spust-
bootkit_remover.rar
otvori sa okno,,obsach vloz sem,


klik-start-klik-spustit a vloz prikaz:
CMD /K COPY /V c:\windows\system32\dllcache\atapi.sys C:\atapi.sys

spustis AVANGER a vlozis script,log po restarte vloz sem.

Kód: Vybrat vše

Begin copying here:
Files to move:
C:\atapi.sys | C:\Windows\System32\drivers\atapi.sys

[sarah611]

obsah okna... http://www.imagebam.com/image/d2f4e386049207


A log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\Windows\System32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[stell]

spust notepad a vloz zeleny text:

Kód: Vybrat vše

@ECHO OFF
remover.exe fix \\.\PhysicalDrive0

uloz ho na plochu -vsetky subory-ako fix.bat
spust.
po restarte,spust remover a znova vloz sem obsah okna.

[sarah611]

http://www.imagebam.com/image/ea186b86052863

[stell]

ok.bootkit je prec.
ak mas DAEMON alebo Alcohol tak spust tento program

Vypnut DAEMON
http://jpshortstuff.247fixes.com/beta/Defogger.exe , spust, nech disablovat, vloz log, ktery se vytvori, samozrejmne nech restartovat pc

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex:

Kód: Vybrat vše

KILLALL::
SCOPY::
\RP45\A0013193.sys | \RP43\A0011868.sys
\RP45\A0013193.sys | \RP46\A0013302.sys
\RP45\A0013193.sys | c:\windows\system32\drivers\atapi.sys

Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :


Po skonceni skenu vlož log čo ComboFix vytvorí

[sarah611]

Dakujem, a v pripade, ze DAEMON ani Alcohol nemam?

[stell]

tak spust aj tak defogger,nakolko vidim tam driver Daemonu,

[sarah611]

defogger_disable by jpshortstuff (25.01.10.1)
Log created at 19:00 on 26/06/2010 (sarah)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

[stell]

ok,pokracuj,CFScriptom.txt-combofixom,

[sarah611]

ComboFix 10-06-25.04 - sarah . 06. 2010 19:03:55.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.421.1029.18.2047.1418 [GMT 2:00]
Running from: c:\documents and settings\sarah\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\sarah\Plocha\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- SCopy ---------------

\RP45\A0013193.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-25 15:41 . 2010-06-26 12:28 -------- d-----w- c:\program files\trend micro
2010-06-25 15:41 . 2010-06-25 15:42 -------- d-----w- C:\rsit
2010-06-25 13:18 . 2004-08-18 12:00 147968 ----a-w- c:\windows\R.COM
2010-06-25 13:18 . 2004-08-18 12:00 137216 ----a-w- c:\windows\system32\T.COM
2010-06-25 13:17 . 2010-06-25 13:17 -------- d-----w- c:\documents and settings\sarah\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-25 15:50 . 2004-08-18 12:00 78210 ----a-w- c:\windows\system32\perfc005.dat
2010-06-25 15:50 . 2004-08-18 12:00 429064 ----a-w- c:\windows\system32\perfh005.dat
2010-05-02 08:27 . 2004-08-18 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-21 12:05 . 2010-04-21 12:05 53144 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-20 05:48 . 2004-08-18 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:38 . 2004-08-18 12:00 663040 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:38 . 2004-08-18 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-03-30 22:16 . 2010-03-30 22:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-30 22:10 . 2010-03-30 22:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((( SnapShot_2010-06-25_21.34.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-18 08:00 . 2004-08-03 20:59 95360 c:\windows\system32\dllcache\atapi.sys
- 2004-08-18 10:00 . 2004-08-03 20:59 95360 c:\windows\system32\dllcache\atapi.sys
+ 2010-02-25 13:01 . 2010-06-26 14:36 1548360 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\sarah\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-03-01 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-06-29 225280]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2007-01-16 843776]
"ACU"="c:\program files\Atheros\ACU.exe" [2006-11-17 348249]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"egui"="d:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-17 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2010-02-27 13:26 229376 ----a-w- d:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\ICQ7.0\\ICQ.exe"=
"d:\\Program Files\\ICQ7.0\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Opera\\opera.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16. 11. 2009 10:03 108792]
R2 ekrn;ESET Service;d:\program files\ESET\ESET Smart Security\ekrn.exe [16. 11. 2009 10:04 735960]
R3 DCamUSBGene;USB2.0 1.3M PC Cam;c:\windows\system32\drivers\USBGENE.sys [25. 2. 2010 14:35 142720]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [27. 2. 2010 15:17 246520]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-26 19:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1116)
c:\windows\system32\Ati2evxx.dll
d:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(1816)
c:\windows\system32\msi.dll
d:\program files\Stardock\Object Desktop\WindowBlinds\tray.dll
d:\program files\Stardock\Object Desktop\IconPackager\iprepair.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\ACEngSvr.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\program files\ATK Hotkey\WDC.exe
.
**************************************************************************
.
Completion time: 2010-06-26 19:11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-26 17:11
ComboFix2.txt 2010-06-26 15:26
ComboFix3.txt 2010-06-25 21:37
ComboFix4.txt 2010-06-25 16:50

Pre-Run: 1 007 128 576
Post-Run: 1 000 255 488

- - End Of File - - BE6A6C060897EA1AA17209BCDA47BA6F

[stell]

klik-start-klik-spustit=vloz prikaz
combofix /uninstall
Je potřeba vypnout nástroj obnova systému - Ovládací panely>systém>obnovení systému>vypnout nástroj obnovení systému>OK nebo použít a nyní jen restartovat PC
2. Po restartu je tento adresář kompletně smazán, obnovu opět zapnout.http://www.viry.cz/forum/viewtopic.php?f=11&t=47040
Stiahnes na plochu TFC
zatvor vsetko co mas otvorene a spust-po skane restart
http://sweb.cz/Marinus/T-Cleaner.exe
stiahnes na plochu a spustis-stale suhlasis a Enter

Stáhni, nainstaluj program CCleaner - http://www.ccleaner.com/download/downloadpage.aspx?f=2
- PravyKlik na kos-spustit ccleaner ->>>Cakas>>na cistenie,,
PravyKlik na kos-otvorit ccleaner-záložka Windows a stiskni Analyzovat a poté Spustit Cleaner
- Klikni na záložku Aplikace a stiskni Analyzovat a poté Spustit Cleaner
- Klikni na Registry, stiskni Hledej problémy, po dokončení skenování klikni na Opravit vybrané problémy,
-zvol Ano pro vytvoření zálohy, ulož nabídnutý soubor a klikni na Opravit všechny problémy,
Stiahnes>>Malwarebytes' Anti-Malware stiahnut-nainstalovat -aktualizovat-
sprav komplet skan,co najde zmaz,log vloz sem,
vloz sem novy log z RSIT.

[sarah611]

Log z Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Verze databáze: 4244

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

26. 6. 2010 20:32:41
mbam-log-2010-06-26 (20-32-41).txt

Typ skenu: Úplný sken (C:\|D:\|)
Skenované objekty: 199216
Uplynulý čas: 59 minuta(y), 37 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované složky: 0
Infikované soubory: 0

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
(Žádné škodlivé položky nebyly zjištěny)