pravdepodobne rootkit v notebooku

Zpráva

morlock · #1 Příspěvek od **morlock** » 02 zář 2010 23:28

Prosil bych zkontrolvat vypis z notasu kamosky. Blbne to - kdyz se pripojim na internet tak se spusti automaticke vypnuti pocitace do jedne minuty - nejde tomu predejit ani nastavenim automatickeho vypinani v setupu. Take po instalaci Avastu, nahrani updatu (vzhledem k nefunkcnosti internetu z jineho pocitace) a provedeni Full scanu a naslednem restartu pocitace se mi objevi BLue Screen a memory dump v uvitaci obrazovce kde vybiram uzivatele. To jsem odstranil naslednym odinstalovanim avastu v safe mode. Avast nasel virus v c:\windows\system32\drivers\igdkmd32.sys ale nebyl schopen odstranit ani presunout do truhly. Tady davam vypis logu RSIT. Predem diky za pomoc Martin (Chtel jsem prilozit i vypis ze souboru info.txt vyvorenym RSIT ale prispevek mel vic jak 60000 znaku tak to neslo - doufam ze tohle staci)

Logfile of random's system information tool 1.08 (written by random/random)
Run by Kerry Dunne at 2010-09-02 23:06:43
Microsoft® Windows Vista™ Home Basic Service Pack 2
System drive C: has 102 GB (72%) free of 142 GB
Total RAM: 3001 MB (66% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3768133199-3547387650-2985043688-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3768133199-3547387650-2985043688-1000UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
AskBar BHO - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2009-04-02 333192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
Symantec NCO BHO - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll [2009-08-26 378736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL [2009-08-26 107896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-12-28 256112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2010-01-29 764912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
Office Document Cache Handler - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL [2010-02-28 561552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-12-28 458736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-20 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Norton Toolbar - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll [2009-08-26 378736]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-12-28 256112]
{3041d03e-fd4b-44e0-b742-2d9b88305f98} - Ask Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2009-04-02 333192]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NPSStartup"= []
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]
"WarReg_PopUp"=C:\Program Files\eMachines\WR_PopUp\WarReg_PopUp.exe [2008-11-04 57344]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"RtHDVCpl"=C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [2009-02-11 6724128]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-11-05 154136]
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2009-02-12 862728]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-11-05 150040]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-11-05 178712]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-28 30192]
"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2007-07-21 159744]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"Acer ePower Management"=C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe [2009-04-03 698912]
"Skytel"=C:\Program Files\Realtek\Audio\HDA\Skytel.exe [2009-02-11 1833504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-21 202240]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-12-28 68856]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2010-03-09 26100520]
"Google Update"=C:\Users\Kerry Dunne\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-30 135664]
"AutoStartNPSAgent"=C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe [2009-04-02 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\12CFG214-K641-12SF-N85P]
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtamon]
C:\Program Files\Dell V305\dldtamon.exe [2008-06-24 16624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtmon.exe]
C:\Program Files\Dell V305\dldtmon.exe [2008-06-24 668912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\txnnjgma]
C:\Users\Kerry Dunne\AppData\Local\lgppigpvg\bmkpcvhshdw.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-10-28 221184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-09-02 23:06:43 ----D---- C:\rsit
2010-09-02 23:06:43 ----D---- C:\Program Files\trend micro
2010-09-02 23:06:24 ----D---- C:\Antivir
2010-09-02 21:41:53 ----D---- C:\Windows\system32\vi-VN
2010-09-02 21:41:53 ----D---- C:\Windows\system32\eu-ES
2010-09-02 21:41:53 ----D---- C:\Windows\system32\ca-ES
2010-09-02 17:40:31 ----ASH---- C:\hiberfil.sys
2010-09-02 07:15:36 ----D---- C:\ProgramData\Lavasoft
2010-09-02 07:15:36 ----D---- C:\Program Files\Lavasoft
2010-09-02 07:14:06 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-09-02 06:35:00 ----D---- C:\Windows\system32\EventProviders
2010-09-02 03:25:33 ----D---- C:\Windows\pss
2010-09-02 03:16:51 ----D---- C:\prac
2010-09-02 02:59:10 ----D---- C:\ProgramData\Alwil Software
2010-09-02 02:59:10 ----D---- C:\Program Files\Alwil Software
2010-08-30 14:26:10 ----A---- C:\Windows\system32\drivers\ltjgdmbd.sys
2010-08-30 14:23:41 ----D---- C:\RECYCLER
2010-08-30 14:22:27 ----RSH---- C:\Users\Kerry Dunne\AppData\Roaming\ohydy.exe
2010-08-30 14:22:08 ----D---- C:\Users\Kerry Dunne\AppData\Roaming\5E170330394A038E71BCC34714A0F947
2010-08-28 01:01:13 ----A---- C:\Windows\ntbtlog.txt
2010-08-27 09:33:39 ----D---- C:\Program Files\Common Files\DESIGNER
2010-08-27 09:30:50 ----D---- C:\Program Files\Microsoft Analysis Services
2010-08-27 00:42:19 ----D---- C:\Users\Kerry Dunne\AppData\Roaming\Template
2010-08-17 02:05:37 ----D---- C:\Users\Kerry Dunne\AppData\Roaming\PC Suite
2010-08-17 02:05:37 ----D---- C:\ProgramData\PC Suite
2010-08-16 23:05:30 ----A---- C:\Windows\system32\nmwcdcls.dll
2010-08-16 23:05:25 ----D---- C:\Program Files\DIFX
2010-08-16 23:05:23 ----A---- C:\Windows\system32\drivers\pccsmcfd.sys
2010-08-16 23:05:21 ----DC---- C:\Windows\system32\DRVSTORE
2010-08-16 23:04:58 ----A---- C:\Windows\system32\drivers\ss_bwhnt.sys
2010-08-16 23:04:58 ----A---- C:\Windows\system32\drivers\ss_bwh.sys
2010-08-16 23:04:58 ----A---- C:\Windows\system32\drivers\ss_bmdm.sys
2010-08-16 23:04:58 ----A---- C:\Windows\system32\drivers\ss_bmdfl.sys
2010-08-16 23:04:58 ----A---- C:\Windows\system32\drivers\ss_bcmnt.sys
2010-08-16 23:04:58 ----A---- C:\Windows\system32\drivers\ss_bcm.sys
2010-08-16 23:04:58 ----A---- C:\Windows\system32\drivers\ss_bbus.sys
2010-08-16 23:04:29 ----D---- C:\Windows\system32\Samsung_USB_Drivers
2010-08-16 22:54:04 ----A---- C:\Windows\system32\FsUsbExService.Exe
2010-08-16 22:54:04 ----A---- C:\Windows\system32\FsUsbExDisk.Sys
2010-08-16 22:54:04 ----A---- C:\Windows\system32\FsUsbExDevice.Dll
2010-08-16 22:53:31 ----D---- C:\Users\Kerry Dunne\AppData\Roaming\Samsung
2010-08-16 22:52:35 ----D---- C:\Program Files\MarkAny
2010-08-16 22:52:33 ----D---- C:\Program Files\PC Connectivity Solution
2010-08-16 22:51:52 ----D---- C:\Program Files\Samsung
2010-08-12 16:25:07 ----A---- C:\Windows\system32\drivers\tcpip.sys
2010-08-12 16:22:48 ----A---- C:\Windows\system32\iccvid.dll
2010-08-12 16:22:44 ----A---- C:\Windows\system32\ieapfltr.dll
2010-08-12 16:22:43 ----A---- C:\Windows\system32\mshtml.dll
2010-08-12 16:22:41 ----A---- C:\Windows\system32\urlmon.dll
2010-08-12 16:22:41 ----A---- C:\Windows\system32\ieframe.dll
2010-08-12 16:22:40 ----A---- C:\Windows\system32\wininet.dll
2010-08-12 16:22:40 ----A---- C:\Windows\system32\mshtmled.dll
2010-08-12 16:22:40 ----A---- C:\Windows\system32\iepeers.dll
2010-08-12 16:22:40 ----A---- C:\Windows\system32\ieencode.dll
2010-08-12 16:22:11 ----A---- C:\Windows\system32\schannel.dll
2010-08-12 16:20:21 ----A---- C:\Windows\system32\win32k.sys
2010-08-12 16:20:16 ----A---- C:\Windows\system32\rtutils.dll
2010-08-12 16:20:11 ----A---- C:\Windows\system32\ntkrnlpa.exe
2010-08-12 16:20:10 ----A---- C:\Windows\system32\ntoskrnl.exe
2010-08-12 02:43:07 ----A---- C:\Windows\system32\msxml3.dll
2010-08-12 02:43:05 ----A---- C:\Windows\system32\drivers\srv2.sys
2010-08-12 02:43:05 ----A---- C:\Windows\system32\drivers\srv.sys
2010-08-04 14:06:34 ----A---- C:\Windows\system32\shell32.dll

======List of files/folders modified in the last 1 months======

2010-09-02 23:06:43 ----RD---- C:\Program Files
2010-09-02 23:06:37 ----D---- C:\Windows\Temp
2010-09-02 23:06:35 ----D---- C:\Windows\Prefetch
2010-09-02 23:05:42 ----D---- C:\Windows\System32
2010-09-02 23:05:42 ----D---- C:\Windows\inf
2010-09-02 23:05:42 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-09-02 22:12:17 ----D---- C:\Windows\rescache
2010-09-02 22:06:58 ----D---- C:\Windows\Microsoft.NET
2010-09-02 22:06:31 ----RSD---- C:\Windows\assembly
2010-09-02 21:53:39 ----D---- C:\Users\Kerry Dunne\AppData\Roaming\Skype
2010-09-02 21:47:50 ----D---- C:\Windows
2010-09-02 21:47:34 ----SHD---- C:\Boot
2010-09-02 21:47:21 ----D---- C:\Windows\system32\catroot
2010-09-02 21:42:19 ----D---- C:\Program Files\Windows Sidebar
2010-09-02 21:42:19 ----D---- C:\Program Files\Windows Photo Gallery
2010-09-02 21:42:19 ----D---- C:\Program Files\Windows Media Player
2010-09-02 21:42:19 ----D---- C:\Program Files\Windows Mail
2010-09-02 21:42:19 ----D---- C:\Program Files\Windows Collaboration
2010-09-02 21:42:19 ----D---- C:\Program Files\Windows Calendar
2010-09-02 21:42:19 ----D---- C:\Program Files\Movie Maker
2010-09-02 21:42:19 ----D---- C:\Program Files\Internet Explorer
2010-09-02 21:42:19 ----D---- C:\Program Files\Common Files\System
2010-09-02 21:42:18 ----D---- C:\Windows\servicing
2010-09-02 21:42:18 ----D---- C:\Program Files\Windows Defender
2010-09-02 21:42:17 ----D---- C:\Windows\system32\XPSViewer
2010-09-02 21:42:17 ----D---- C:\Windows\system32\sk-SK
2010-09-02 21:42:17 ----D---- C:\Windows\system32\lv-LV
2010-09-02 21:42:17 ----D---- C:\Windows\system32\ko-KR
2010-09-02 21:42:17 ----D---- C:\Windows\system32\hr-HR
2010-09-02 21:42:17 ----D---- C:\Windows\system32\et-EE
2010-09-02 21:42:17 ----D---- C:\Windows\system32\da-DK
2010-09-02 21:42:17 ----D---- C:\Windows\IME
2010-09-02 21:42:16 ----D---- C:\Windows\system32\en-US
2010-09-02 21:42:11 ----D---- C:\Windows\system32\sv-SE
2010-09-02 21:42:11 ----D---- C:\Windows\system32\SLUI
2010-09-02 21:42:11 ----D---- C:\Windows\system32\setup
2010-09-02 21:42:11 ----D---- C:\Windows\system32\ru-RU
2010-09-02 21:42:11 ----D---- C:\Windows\system32\pt-PT
2010-09-02 21:42:11 ----D---- C:\Windows\system32\oobe
2010-09-02 21:42:11 ----D---- C:\Windows\system32\migration
2010-09-02 21:42:11 ----D---- C:\Windows\system32\it-IT
2010-09-02 21:42:11 ----D---- C:\Windows\system32\hu-HU
2010-09-02 21:42:11 ----D---- C:\Windows\system32\he-IL
2010-09-02 21:42:11 ----D---- C:\Windows\system32\fr-FR
2010-09-02 21:42:11 ----D---- C:\Windows\system32\fi-FI
2010-09-02 21:42:11 ----D---- C:\Windows\system32\el-GR
2010-09-02 21:42:11 ----D---- C:\Windows\system32\de-DE
2010-09-02 21:42:11 ----D---- C:\Windows\system32\cs-CZ
2010-09-02 21:42:11 ----D---- C:\Windows\system32\AdvancedInstallers
2010-09-02 21:42:10 ----D---- C:\Windows\system32\zh-TW
2010-09-02 21:42:10 ----D---- C:\Windows\system32\zh-CN
2010-09-02 21:42:10 ----D---- C:\Windows\system32\wbem
2010-09-02 21:42:10 ----D---- C:\Windows\system32\uk-UA
2010-09-02 21:42:10 ----D---- C:\Windows\system32\tr-TR
2010-09-02 21:42:10 ----D---- C:\Windows\system32\th-TH
2010-09-02 21:42:10 ----D---- C:\Windows\system32\sr-Latn-CS
2010-09-02 21:42:10 ----D---- C:\Windows\system32\sl-SI
2010-09-02 21:42:10 ----D---- C:\Windows\system32\ro-RO
2010-09-02 21:42:10 ----D---- C:\Windows\system32\pl-PL
2010-09-02 21:42:10 ----D---- C:\Windows\system32\manifeststore
2010-09-02 21:42:10 ----D---- C:\Windows\system32\ja-JP
2010-09-02 21:42:10 ----D---- C:\Windows\system32\es-ES
2010-09-02 21:42:10 ----D---- C:\Windows\system32\en
2010-09-02 21:42:10 ----D---- C:\Windows\system32\drivers\en-US
2010-09-02 21:42:10 ----D---- C:\Windows\system32\drivers
2010-09-02 21:42:10 ----D---- C:\Windows\system32\bg-BG
2010-09-02 21:42:09 ----D---- C:\Windows\system32\pt-BR
2010-09-02 21:42:09 ----D---- C:\Windows\system32\nl-NL
2010-09-02 21:42:09 ----D---- C:\Windows\system32\nb-NO
2010-09-02 21:42:09 ----D---- C:\Windows\system32\migwiz
2010-09-02 21:42:09 ----D---- C:\Windows\system32\lt-LT
2010-09-02 21:42:09 ----D---- C:\Windows\system32\ar-SA
2010-09-02 21:41:59 ----RSD---- C:\Windows\Fonts
2010-09-02 21:41:59 ----D---- C:\Windows\AppPatch
2010-09-02 21:41:53 ----D---- C:\Windows\system32\Boot
2010-09-02 21:40:52 ----D---- C:\Windows\system32\drivers\UMDF
2010-09-02 21:40:35 ----D---- C:\Windows\system32\RTCOM
2010-09-02 21:32:04 ----D---- C:\Windows\winsxs
2010-09-02 21:30:39 ----A---- C:\Windows\fonts\GlobalUserInterface.CompositeFont
2010-09-02 21:25:36 ----SHD---- C:\System Volume Information
2010-09-02 17:32:14 ----D---- C:\Windows\Minidump
2010-09-02 07:16:05 ----SHD---- C:\Windows\Installer
2010-09-02 07:15:36 ----HD---- C:\ProgramData
2010-09-02 07:14:06 ----D---- C:\Program Files\Common Files
2010-09-02 06:25:22 ----D---- C:\Windows\system32\LogFiles
2010-09-02 05:46:41 ----D---- C:\Windows\system32\catroot2
2010-09-02 02:37:16 ----SD---- C:\ProgramData\Microsoft
2010-08-30 14:56:31 ----D---- C:\Windows\Tasks
2010-08-30 14:56:31 ----D---- C:\Windows\system32\spool
2010-08-30 14:56:31 ----D---- C:\Windows\system32\Msdtc
2010-08-30 14:56:31 ----D---- C:\Windows\registration
2010-08-30 14:47:48 ----SD---- C:\Users\Kerry Dunne\AppData\Roaming\Microsoft
2010-08-28 12:19:48 ----D---- C:\ProgramData\Microsoft Help
2010-08-27 09:36:04 ----D---- C:\Windows\system32\Tasks
2010-08-27 09:34:23 ----D---- C:\Program Files\Common Files\microsoft shared
2010-08-27 09:33:30 ----D---- C:\Program Files\Microsoft Office
2010-08-27 09:30:51 ----D---- C:\Windows\SHELLNEW
2010-08-27 00:39:48 ----SD---- C:\Windows\Downloaded Program Files
2010-08-24 16:13:30 ----SHD---- C:\$Recycle.Bin
2010-08-16 22:53:13 ----HD---- C:\Program Files\InstallShield Installation Information
2010-08-16 22:48:27 ----D---- C:\Program Files\Common Files\Adobe
2010-08-16 22:38:33 ----D---- C:\Users\Kerry Dunne\AppData\Roaming\Azureus
2010-08-13 13:45:10 ----D---- C:\Program Files\Microsoft Works
2010-08-03 19:09:31 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 SymEFA;Symantec Extended File Attributes; C:\Windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [2009-08-26 310320]
R0 UBHelper;UBHelper; C:\Windows\system32\drivers\UBHelper.sys [2008-01-30 13824]
R1 BHDrvx86;Symantec Heuristics Driver; C:\Windows\System32\Drivers\NIS\1008000.029\BHDrvx86.sys [2009-08-26 259632]
R1 ccHP;Symantec Hash Provider; C:\Windows\System32\Drivers\NIS\1008000.029\ccHPx86.sys [2010-02-04 482432]
R1 DritekPortIO;Dritek General Port I/O; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [2006-11-02 20112]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2010-01-12 371248]
R1 IDSVix86;IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100224.002\IDSvix86.sys [2009-12-30 343088]
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\Windows\system32\drivers\NIS\1008000.029\SRTSPX.SYS [2009-08-26 43696]
R1 SymIM;Symantec Network Security Intermediate Filter Driver; C:\Windows\system32\DRIVERS\SymIMv.sys [2009-08-26 25648]
R1 SYMTDI;Symantec Network Dispatch Driver; C:\Windows\System32\Drivers\NIS\1008000.029\SYMTDI.SYS [2009-08-26 217136]
R2 regi;regi; C:\Windows\system32\drivers\regi.sys [2007-04-17 11032]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\Windows\system32\DRIVERS\Apfiltr.sys [2008-02-18 166960]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2008-11-04 952320]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2006-11-02 21264]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-01-12 102448]
R3 FsUsbExDisk;FsUsbExDisk; \??\C:\Windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-10-28 2476544]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2009-02-11 2324512]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller; C:\Windows\system32\DRIVERS\L1C60x86.sys [2009-01-15 49664]
R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2008-01-30 14848]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2010-01-20 124976]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-10-26 1044984]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\Windows\system32\DRIVERS\ewusbmdm.sys [2008-12-13 102784]
S3 hwusbfake;Huawei DataCard USB Fake; C:\Windows\system32\DRIVERS\ewusbfake.sys [2008-12-30 103040]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 NAVENG;NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100225.048\NAVENG.SYS [2010-02-03 84912]
S3 NAVEX15;NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100225.048\NAVEX15.SYS [2010-02-03 1324720]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\Windows\system32\DRIVERS\pccsmcfd.sys [2007-09-17 21632]
S3 RTSTOR;Realtek USB 2.0 Card Reader; C:\Windows\system32\drivers\RTSTOR.SYS [2009-02-23 62976]
S3 SRTSP;Symantec Real Time Storage Protection; C:\Windows\System32\Drivers\NIS\1008000.029\SRTSP.SYS [2009-08-26 308272]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM); C:\Windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter); C:\Windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem; C:\Windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
S3 SYMDNS;SYMDNS; \??\C:\Windows\system32\drivers\NIS\1000000.07D\SYMDNS.SYS []
S3 SYMFW;Symantec Network Filter Driver; C:\Windows\System32\Drivers\NIS\1008000.029\SYMFW.SYS [2009-08-26 89904]
S3 SYMNDISV;Symantec Network Filter Driver; C:\Windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [2009-08-26 48688]
S3 SYMREDRV;SYMREDRV; \??\C:\Windows\system32\drivers\NIS\1000000.07D\SYMREDRV.SYS []
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-21 35328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-05-12 611664]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service; C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 ePowerSvc;Acer ePower Service; C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-04-03 723488]
R2 FsUsbExService;FsUsbExService; C:\Windows\system32\FsUsbExService.Exe [2009-03-31 233472]
R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-12-30 135664]
S3 GameConsoleService;GameConsoleService; C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe [2008-05-05 165416]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-28 30192]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-30 182768]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 149352]
S3 osppsvc;Office Software Protection Platform; C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-04-07 430592]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S4 ASKService;ASKService; C:\Program Files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
S4 ASKUpgrade;ASKUpgrade; C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
S4 dldt_device;dldt_device; C:\Windows\system32\dldtcoms.exe [2008-02-25 595184]
S4 dldtCATSCustConnectService;dldtCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\dldtserv.exe [2008-02-25 99568]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 Norton Internet Security;Norton Internet Security; C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2009-08-26 117640]

-----------------EOF-----------------

#2 Příspěvek od **vyosek** » 03 zář 2010 01:09

Zdravim a pekne rano preji

Uprimne - kamoska to ma zaliskane jak jetel

Kdyztak ji dejte Vas login, at si to opravi sama a nemusite ji delat prostrednika - navody mam jednoduche a v pripade nejasnosti vysvetlim

Doporucuji odinstalovat (pokud nepouzivate) toolbary (listy prohlizecu) v Přidat nebo odebrat programy

Odinstalujte AskBarDis, dale Lavasoft Ad-Aware (program ma jiz ukoncen vyvoj)

Predpokladam ze kdyz tam mate nove instalovany Norton Internet Security, tak k nemu mate koupenou i licenci

Zapojte do PC vsechny USB klice (flashky, ext. disky apod.)

Stahne a ulozte na plochu UsbFix http://www.viry.cz/forum/viewtopic.php?f=24&t=102308
Spustte a kliknete na Deletion
Po dokonceni sem vlozte log, pokud na Vas nevyskoci, najdete jej zde C:\UsbFix.txt

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK

Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Vypnete vsechny rezidentni bezpecnostní programy - firewally, antiviry, antispywary apod.
Vložte do PC vsechny USB klice (flash disky, ext.disky apod.)
Pokud mate Win XP spustte pod uctem Spravce\Administratora
Pokud mate Win Vista ci Win 7, kliknete na Combofix pravym a dejte Run As Administrator ci Spustit jako spravce
Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte

morlock · #3 Příspěvek od **morlock** » 03 zář 2010 15:22

Dobry den, diky za okamzitou reakci - ze mi nekdo odpovi ve 2:30 rano jsem fakt necekal

, prostrednika budu muset delat dal, zaprvy kamoska is speaking only English

a za druhy je na dovce a jeji notas mam u sebe.

Takze odstarnil jsem AskBarDis a Adware, Notron Internet Security tam sice je, ale ma propadlou licenci. Ty toolbary tam radsi necham - treba je pouziva.
Pak jsem to projel USBFixem (jedina Flashka kterou pouzivam je ta pro prenos dat z internetu z meho notasu do jejiho)

Ted sbiram "odvahu" na ten CobmboFix - tvrdi ze k notasu nema zadny CDcka takze jestli se potento system tak jsem v riti. Ma tam Visty - anglickou verzi. Propadalej Norton a vypnutej firewall - koledovala si o to

TAdy je vypis logu z USBFixu

############################## | UsbFix 7.023 | [Deletion]

User: Kerry Dunne (Administrator) # KERRYDUNNE-PC [eMachines eMachines E525]
Updated 02/09/10 by El Desaparecido / C_XX
Started at 14:48:33 | 03/09/2010
Website: http://pagesperso-orange.fr/NosTools/index.html
Contact: FindyKill.Contact@gmail.com

CPU: Intel(R) Celeron(R) CPU 900 @ 2.20GHz
Microsoft® Windows Vista™ Home Basic (6.0.6002 32-Bit) # Service Pack 2
Internet Explorer 7.0.6002.18005

Windows Firewall: Disabled /!\
RAM -> 3001 Mb
C:\ (%systemdrive%) -> Fixed drive # 139 Gb (99 Mb free - 71%) [OS] # NTFS
D:\ -> CD-ROM
E:\ -> Removable drive # 4 Gb (3 Mb free - 84%) [] # FAT32

################## | Files # Infected Folders |

Deleted ! C:\Users\KERRYD~1\AppData\Local\Temp\363.exe
Deleted ! E:\log.txt

################## | Registry |

Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dw20.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwtrig20.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstordb.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstore.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ois.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onelev.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ose.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv .exe
Deleted ! HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxp.exe
Deleted ! HKLM\software\microsoft\windows nt\currentversion\winlogon|Taskman

################## | Mountpoints2 |

Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\F
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{468d91cb-209f-11df-b45b-00235a958f07}
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{d058ca46-3a50-11de-b656-806e6f6e6963}
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{fd99b268-f39e-11de-a188-00235a958f07}
Deleted ! HKCU\.\.\.\.\Explorer\MountPoints2\{fd99b27f-f39e-11de-a188-00235a958f07}

################## | Listing |

[03/09/2010 - 14:55:25 | SHD ] C:\$Recycle.Bin
[29/01/2010 - 16:43:45 | D ] C:\715a75203cccb574de14
[28/12/2009 - 04:03:02 | HD ] C:\ACER
[28/12/2009 - 04:01:24 | HD ] C:\ACERSW
[02/09/2010 - 23:09:32 | D ] C:\Antivir
[18/09/2006 - 22:43:36 | A | 24] C:\autoexec.bat
[06/05/2009 - 16:38:07 | AD ] C:\book
[02/09/2010 - 21:47:34 | SHD ] C:\Boot
[11/04/2009 - 07:36:36 | RASH | 333257] C:\bootmgr
[11/03/2009 - 05:11:31 | RAS | 8192] C:\BOOTSECT.BAK
[18/09/2006 - 22:43:37 | A | 10] C:\config.sys
[02/11/2006 - 13:59:44 | SHD ] C:\Documents and Settings
[03/09/2010 - 14:45:35 | ASH | 3145728000] C:\hiberfil.sys
[11/03/2009 - 14:58:35 | D ] C:\Intel
[03/02/2010 - 19:48:11 | D ] C:\logs
[11/03/2009 - 15:10:30 | RHD ] C:\MSOCache
[03/09/2010 - 14:45:33 | ASH | 3461599232] C:\pagefile.sys
[21/01/2008 - 03:43:50 | D ] C:\PerfLogs
[02/09/2010 - 03:16:51 | D ] C:\prac
[03/09/2010 - 14:24:09 | RD ] C:\Program Files
[02/09/2010 - 07:15:36 | HD ] C:\ProgramData
[03/09/2010 - 14:49:54 | D ] C:\RECYCLER
[11/03/2009 - 15:05:08 | A | 2469] C:\RHDSetup.log
[02/09/2010 - 23:06:46 | D ] C:\rsit
[03/09/2010 - 01:31:30 | SHD ] C:\System Volume Information
[03/09/2010 - 14:55:25 | D ] C:\UsbFix
[03/09/2010 - 14:48:40 | A | 5055] C:\UsbFix.txt
[28/12/2009 - 04:01:09 | RD ] C:\Users
[06/05/2009 - 16:35:34 | A | 389512] C:\vcredist_x86.log
[03/09/2010 - 01:31:51 | D ] C:\Windows
[31/01/2010 - 16:34:28 | HD ] E:\.Trashes
[02/09/2010 - 07:04:50 | A | 19153264] E:\aaw2008.exe
[31/01/2010 - 16:34:28 | AH | 4096] E:\._.Trashes
[05/02/2010 - 13:03:44 | A | 23552] E:\preklad likvidace.doc
[21/05/2010 - 08:11:18 | SHD ] E:\FOUND.000
[02/09/2010 - 13:50:40 | A | 38562496] E:\vpsupd.exe
[31/01/2010 - 16:34:28 | HD ] E:\.Spotlight-V100
[05/02/2010 - 17:29:26 | D ] E:\Barbara
[01/06/2010 - 08:43:54 | D ] E:\Martin
[02/09/2010 - 02:57:14 | A | 53785488] E:\setup_av_free.exe
[07/07/2008 - 00:19:04 | A | 127] E:\klic.txt
[02/09/2010 - 15:08:38 | A | 28] E:\avast.txt
[02/09/2010 - 17:45:06 | A | 9099340] E:\defs.zip
[02/09/2010 - 23:05:34 | A | 339991] E:\RSIT.exe
[02/09/2010 - 23:09:34 | A | 35376] E:\info.txt
[03/09/2010 - 14:38:10 | A | 1209079] E:\UsbFix.exe

################## | Vaccin |

C:\Autorun.inf -> Folder created by UsbFix (El Desaparecido & C_XX)
E:\Autorun.inf -> Folder created by UsbFix (El Desaparecido & C_XX)

################## | Upload |

Please send the file: C:\UsbFix_Upload_Me_KERRYDUNNE-PC.zip
http://chiquitine.changelog.fr/Sample/Upload.php
Thank you for your contribution.

################## | E.O.F |

#4 Příspěvek od **vyosek** » 03 zář 2010 15:29

Prijel jsem z nocni, tak jsem se do toho pustil

Tak ten propadlej Norton dejte do pryc - stejne je na nic, kdyz je nefunkcni - zde je pripadne odinstalator ftp://ftp.symantec.com/public/english_u ... l_Tool.exe

Nahodte free Avast nebo Aviru http://www.viry.cz/forum/viewtopic.php?f=29&t=6152

Aplikujte ComboFix

morlock · #5 Příspěvek od **morlock** » 03 zář 2010 15:50

Zdur,

jak jsem uz psal vyse, pokud nainstaluju Avast tak se pocitac kousne

(Blue screen + memory dump) pri startu, konkretne v miste kde se vybira uzivatel pro zalogovani. Aviru jsem nikdy nezkousel - muzu zkusit ted.

Martin

#6 Příspěvek od **vyosek** » 03 zář 2010 15:55

Aviru tam klidne hodte - je v anglictine, takze lepe pro uzivatelku...Predtim ale odinstalujte ten Norton, jinak se Vam budou prat

Docistete po Avastu timto http://www.avast.com/cs-cz/uninstall-utility pripadne timto http://files.avast.com/files/eng/aswclear.exe

A pak vzhuru do ComboFixu at notesu ulevime

morlock · #7 Příspěvek od **morlock** » 03 zář 2010 16:07

Aha, myslite ze ten Avast se pral sNortonem a proto se notas kousal pri startu? Zkusim tedy jeste jednou nainstalovat Avast po te co odstranim Nortona a uvidime. Podle toho co tu pisete o Avire a Avastu - tak Avast je complexnejsi reseni - a da se taky kompletne provozovat v Anglictine. Takze zkusim a kdyz nepujde zkusim Aviru. MArtin

#8 Příspěvek od **vyosek** » 03 zář 2010 16:11

Pokud jsou v PC dva anti programy (antiviry, antispyware, firewally), tak muze dochazet ke kolizi - vice v clanku kolegy http://www.viry.cz/forum/viewtopic.php?f=29&t=2780

Urcite by bylo vhodne, spise zadouci, aby pred zacatkem leceni tam byla nejaka ochrana (avast ci avira), jinak po vyleceni (nebo jeste behem nej) se to hned zaprasi zpatky...

morlock · #9 Příspěvek od **morlock** » 03 zář 2010 17:23

Zdravim,

takze odinstaloval jsem norton, a nainstaloval avast - stejny problem -> blue screen

tak jsem odstranil avast pomoci toho programku co jste mi doporucili restartoval a zacal instalovat Aviru

Ta me upozornila abych predem deaktivoval windows defender jinak muzou byt problemy s kompatibilitou. Rekl jsem si ze stejny problem mel mozna ten avast. Misto Aviry jsem jeste jednou zkusil ten avast po vypnuti windows defenderu a oala - avast jede

. Pridal jsem jeste zone alarm a spustil combofix - tady je log

ComboFix 10-09-02.03 - Kerry Dunne 03/09/2010 17:00:46.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.353.1033.18.3001.1980 [GMT 1:00]
Running from: c:\users\Kerry Dunne\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Kerry Dunne\AppData\Local\Windows Server
c:\users\Kerry Dunne\AppData\Local\Windows Server\admin.txt
c:\users\Kerry Dunne\AppData\Local\Windows Server\hlp.dat
c:\users\Kerry Dunne\AppData\Local\Windows Server\server.dat
c:\users\Kerry Dunne\AppData\Roaming\5E170330394A038E71BCC34714A0F947
c:\users\Kerry Dunne\AppData\Roaming\5E170330394A038E71BCC34714A0F947\enemies-names.txt
c:\users\Kerry Dunne\AppData\Roaming\5E170330394A038E71BCC34714A0F947\local.ini
c:\users\Kerry Dunne\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp
c:\windows\system32\msdvdr.dat

.
((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.

2010-09-03 16:08 . 2010-09-03 16:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-03 15:42 . 2010-05-15 15:30 457304 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2010-09-03 15:42 . 2010-09-03 15:42 -------- d-----w- c:\program files\Zone Labs
2010-09-03 15:41 . 2010-09-03 16:09 -------- d-----w- c:\windows\Internet Logs
2010-09-03 15:41 . 2010-09-03 15:41 -------- d-----w- c:\programdata\CheckPoint
2010-09-03 15:39 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-03 15:39 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-03 15:39 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-03 15:39 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-03 15:38 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-03 15:16 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-03 15:15 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-09-03 13:55 . 2010-09-03 13:55 12100 ----a-w- C:\UsbFix_Upload_Me_KERRYDUNNE-PC.zip
2010-09-03 13:48 . 2010-09-03 13:55 -------- d-----w- C:\UsbFix
2010-09-02 22:06 . 2010-09-02 22:06 -------- d-----w- C:\rsit
2010-09-02 22:06 . 2010-09-02 22:06 -------- d-----w- c:\program files\trend micro
2010-09-02 22:06 . 2010-09-02 22:09 -------- d-----w- C:\Antivir
2010-09-02 20:41 . 2010-09-02 20:42 -------- d-----w- c:\windows\system32\ca-ES
2010-09-02 20:41 . 2010-09-02 20:42 -------- d-----w- c:\windows\system32\eu-ES
2010-09-02 20:41 . 2010-09-02 20:42 -------- d-----w- c:\windows\system32\vi-VN
2010-09-02 06:15 . 2010-09-03 00:31 -------- d-----w- c:\programdata\Lavasoft
2010-09-02 05:35 . 2010-09-02 05:35 -------- d-----w- c:\windows\system32\EventProviders
2010-09-02 01:59 . 2010-09-03 15:38 -------- d-----w- c:\program files\Alwil Software
2010-09-02 01:59 . 2010-09-03 15:15 -------- d-----w- c:\programdata\Alwil Software
2010-08-30 13:48 . 2010-09-03 13:27 680 ----a-w- c:\users\Kerry Dunne\AppData\Local\d3d9caps.dat
2010-08-30 13:24 . 2010-09-02 14:19 -------- d-----w- c:\users\Kerry Dunne\AppData\Local\lgppigpvg
2010-08-30 13:22 . 2010-08-30 15:07 -------- d-----w- c:\users\Kerry Dunne\AppData\Local\Windows
2010-08-27 08:30 . 2010-08-27 08:30 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-08-26 23:42 . 2010-08-26 23:42 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\Template
2010-08-17 01:05 . 2010-08-17 01:05 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\PC Suite
2010-08-17 01:05 . 2010-08-17 01:05 -------- d-----w- c:\programdata\PC Suite
2010-08-16 22:05 . 2007-05-02 15:31 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-08-16 22:05 . 2010-08-16 22:05 -------- d-----w- c:\program files\DIFX
2010-08-16 22:05 . 2007-09-17 14:53 21632 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-08-16 22:05 . 2010-08-16 22:05 -------- dc----w- c:\windows\system32\DRVSTORE
2010-08-16 22:04 . 2009-03-20 09:01 90112 ----a-w- c:\windows\system32\drivers\ss_bbus.sys
2010-08-16 22:04 . 2009-03-20 09:01 14976 ----a-w- c:\windows\system32\drivers\ss_bmdfl.sys
2010-08-16 22:04 . 2009-03-20 09:01 121856 ----a-w- c:\windows\system32\drivers\ss_bmdm.sys
2010-08-16 22:04 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bwhnt.sys
2010-08-16 22:04 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bwh.sys
2010-08-16 22:04 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bcmnt.sys
2010-08-16 22:04 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bcm.sys
2010-08-16 22:04 . 2010-08-16 22:05 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-08-16 21:54 . 2009-03-31 08:39 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2010-08-16 21:54 . 2009-03-31 08:39 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2010-08-16 21:54 . 2009-03-31 08:39 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2010-08-16 21:53 . 2010-08-16 21:53 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\Samsung
2010-08-16 21:52 . 2010-08-16 21:52 -------- d-----w- c:\program files\MarkAny
2010-08-16 21:52 . 2010-08-16 22:05 -------- d-----w- c:\program files\PC Connectivity Solution
2010-08-16 21:51 . 2010-08-16 22:05 -------- d-----w- c:\program files\Samsung
2010-08-16 21:50 . 2010-08-16 21:50 -------- d-----w- c:\users\Kerry Dunne\AppData\Local\Downloaded Installations
2010-08-12 15:25 . 2010-06-16 16:39 912776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-12 15:25 . 2010-06-16 14:01 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-08-12 15:22 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-12 15:22 . 2010-06-29 15:47 834048 ----a-w- c:\windows\system32\wininet.dll
2010-08-12 15:22 . 2010-06-28 16:13 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-08-12 15:22 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-08-12 15:20 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 15:20 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 15:20 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 15:20 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 01:43 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 01:43 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 01:43 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 16:10 . 2010-03-16 20:09 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\Skype
2010-09-03 15:44 . 2010-09-03 15:42 421442 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-09-03 15:44 . 2010-09-03 15:44 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\CheckPoint
2010-09-03 15:43 . 2010-09-03 15:43 -------- d-----w- c:\program files\CheckPoint
2010-09-03 14:57 . 2009-03-11 14:34 -------- d-----w- c:\programdata\Norton
2010-09-02 20:42 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2010-09-02 20:42 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2010-09-02 20:42 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2010-09-02 20:42 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2010-09-02 20:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-02 20:42 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2010-09-02 20:41 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-08-28 11:19 . 2009-03-11 14:11 -------- d-----w- c:\programdata\Microsoft Help
2010-08-27 09:38 . 2010-02-25 11:55 104056 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-08-17 00:02 . 2010-08-16 23:00 41200640 ----a-w- c:\users\Kerry Dunne\AppData\Roaming\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
2010-08-16 21:53 . 2009-03-11 14:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-16 21:48 . 2009-03-11 14:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-16 21:38 . 2010-01-12 21:56 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\Azureus
2010-08-13 12:45 . 2009-03-11 14:12 -------- d-----w- c:\program files\Microsoft Works
2010-07-30 14:37 . 2010-02-03 19:35 -------- d-----w- c:\programdata\Dl_cats
2010-07-25 21:24 . 2010-07-25 21:24 -------- d-----w- c:\program files\Microsoft Reader
2010-07-25 21:24 . 2009-03-11 14:03 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-23 12:51 . 2010-09-03 15:42 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-06-23 12:51 . 2010-09-03 15:42 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-06-23 12:51 . 2010-09-03 15:42 103936 ----a-w- c:\windows\system32\zlcommdb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-28 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"Google Update"="c:\users\Kerry Dunne\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-30 135664]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"WarReg_PopUp"="c:\program files\eMachines\WR_PopUp\WarReg_PopUp.exe" [2008-11-04 57344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-11 6724128]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-05 154136]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2009-02-12 862728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-05 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-05 178712]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-28 30192]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-04-03 698912]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-02-11 1833504]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]

c:\users\Kerry Dunne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2010-06-28 20:57 2837864 ----a-w- c:\progra~1\ALWILS~1\Avast5\AvastUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtamon]
2008-06-24 06:27 16624 ----a-w- c:\program files\Dell V305\dldtamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtmon.exe]
2008-06-24 06:26 668912 ----a-w- c:\program files\Dell V305\dldtmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ca,5e,5c,15,e0,4a,cb,01

R2 aswFsBlk;aswFsBlk; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 135664]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-28 30192]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2008-12-30 103040]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
R3 vsdatant7;vsdatant7;c:\windows\system32\drivers\vsdatant.win7.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe [2008-02-25 595184]
R4 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\dldtserv.exe [2008-02-25 99568]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-04-03 723488]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2010-05-26 26352]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2010-05-26 493032]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-01-15 49664]

--- Other Services/Drivers In Memory ---

*Deregistered* - ltjgdmbd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-17 01:59]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-17 01:59]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3768133199-3547387650-2985043688-1000Core.job
- c:\users\Kerry Dunne\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-30 01:59]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3768133199-3547387650-2985043688-1000UA.job
- c:\users\Kerry Dunne\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-30 01:59]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&i ... urceid=ie7
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NPSStartup - (no file)
MSConfigStartUp-12CFG214-K641-12SF-N85P - c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
MSConfigStartUp-txnnjgma - c:\users\Kerry Dunne\AppData\Local\lgppigpvg\bmkpcvhshdw.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ltjgdmbd]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(672)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'Explorer.exe'(1592)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conime.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Launch Manager\LManager.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxext.exe
c:\users\KERRYD~1\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Apoint2K\Apntex.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-09-03 17:15:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-03 16:15

Pre-Run: 105,833,820,160 bytes free
Post-Run: 107,204,685,824 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 0C375DB73DB427268E88C20F3593A60E

#10 Příspěvek od **vyosek** » 03 zář 2010 18:24

Tak jdeme dale

Neco pomazal USBFix ale jeste tam mrsky jsou

Pokud nemate, tak presunte Combofix na plochu

Spustte poznamkovy blok (Start-spustit-notepad)
Zkopirujte skript nize

Kód: Vybrat vše

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"=-
"swg"=-
"Skype"=-
"Google Update"=-
"AutoStartNPSAgent"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-
"Adobe Reader Speed Launcher"=-

Driver::
aswFsBlk
ltjgdmbd

File::
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3768133199-3547387650-2985043688-1000Core.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3768133199-3547387650-2985043688-1000UA.job

DDS::
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Ulozte vytvoreny TXT jako CFScript.txt
Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

morlock · #11 Příspěvek od **morlock** » 03 zář 2010 19:16

Vse jsem provedl dle navodu - tady je log. Behem prace Combofixu se objevila hlaska ze byla ukoncena prace pev.exe a ze windows zavre tento program

ComboFix 10-09-02.03 - Kerry Dunne 03/09/2010 18:42:30.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.353.1033.18.3001.1896 [GMT 1:00]
Running from: c:\users\Kerry Dunne\Desktop\ComboFix.exe
Command switches used :: c:\users\Kerry Dunne\Desktop\CFscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\Tasks\GoogleUpdateTaskMachineCore.job"
"c:\windows\Tasks\GoogleUpdateTaskMachineUA.job"
"c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3768133199-3547387650-2985043688-1000Core.job"
"c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3768133199-3547387650-2985043688-1000UA.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3768133199-3547387650-2985043688-1000Core.job
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3768133199-3547387650-2985043688-1000UA.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASWFSBLK
-------\Legacy_LTJGDMBD
-------\Service_aswFsBlk
-------\Service_ltjgdmbd

((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.

2010-09-03 17:49 . 2010-09-03 17:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-03 17:49 . 2010-09-03 17:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-03 17:40 . 2010-09-03 17:40 -------- d-----w- C:\32788R22FWJFW
2010-09-03 16:38 . 2010-09-03 16:38 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbD598.tmp.exe
2010-09-03 15:42 . 2010-05-15 15:30 457304 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2010-09-03 15:42 . 2010-09-03 15:42 -------- d-----w- c:\program files\Zone Labs
2010-09-03 15:41 . 2010-09-03 17:51 -------- d-----w- c:\windows\Internet Logs
2010-09-03 15:41 . 2010-09-03 15:41 -------- d-----w- c:\programdata\CheckPoint
2010-09-03 15:39 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-03 15:39 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-03 15:39 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-03 15:39 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-03 15:38 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-03 15:16 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-03 15:15 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-09-03 13:55 . 2010-09-03 13:55 12100 ----a-w- C:\UsbFix_Upload_Me_KERRYDUNNE-PC.zip
2010-09-03 13:48 . 2010-09-03 13:55 -------- d-----w- C:\UsbFix
2010-09-02 22:06 . 2010-09-02 22:06 -------- d-----w- C:\rsit
2010-09-02 22:06 . 2010-09-02 22:06 -------- d-----w- c:\program files\trend micro
2010-09-02 22:06 . 2010-09-02 22:09 -------- d-----w- C:\Antivir
2010-09-02 20:41 . 2010-09-02 20:42 -------- d-----w- c:\windows\system32\ca-ES
2010-09-02 20:41 . 2010-09-02 20:42 -------- d-----w- c:\windows\system32\eu-ES
2010-09-02 20:41 . 2010-09-02 20:42 -------- d-----w- c:\windows\system32\vi-VN
2010-09-02 06:15 . 2010-09-03 00:31 -------- d-----w- c:\programdata\Lavasoft
2010-09-02 05:35 . 2010-09-02 05:35 -------- d-----w- c:\windows\system32\EventProviders
2010-09-02 01:59 . 2010-09-03 15:38 -------- d-----w- c:\program files\Alwil Software
2010-09-02 01:59 . 2010-09-03 15:15 -------- d-----w- c:\programdata\Alwil Software
2010-08-30 13:48 . 2010-09-03 13:27 680 ----a-w- c:\users\Kerry Dunne\AppData\Local\d3d9caps.dat
2010-08-30 13:26 . 2010-09-03 17:50 786944 ----a-w- c:\windows\system32\drivers\ltjgdmbd.sys
2010-08-30 13:24 . 2010-09-02 14:19 -------- d-----w- c:\users\Kerry Dunne\AppData\Local\lgppigpvg
2010-08-30 13:22 . 2010-08-30 15:07 -------- d-----w- c:\users\Kerry Dunne\AppData\Local\Windows
2010-08-27 08:30 . 2010-08-27 08:30 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-08-26 23:42 . 2010-08-26 23:42 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\Template
2010-08-17 01:05 . 2010-08-17 01:05 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\PC Suite
2010-08-17 01:05 . 2010-08-17 01:05 -------- d-----w- c:\programdata\PC Suite
2010-08-16 23:00 . 2010-08-17 00:02 41200640 ----a-w- c:\users\Kerry Dunne\AppData\Roaming\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
2010-08-16 22:05 . 2007-05-02 15:31 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-08-16 22:05 . 2010-08-16 22:05 -------- d-----w- c:\program files\DIFX
2010-08-16 22:05 . 2007-09-17 14:53 21632 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-08-16 22:05 . 2010-08-16 22:05 -------- dc----w- c:\windows\system32\DRVSTORE
2010-08-16 22:04 . 2009-03-20 09:01 90112 ----a-w- c:\windows\system32\drivers\ss_bbus.sys
2010-08-16 22:04 . 2009-03-20 09:01 14976 ----a-w- c:\windows\system32\drivers\ss_bmdfl.sys
2010-08-16 22:04 . 2009-03-20 09:01 121856 ----a-w- c:\windows\system32\drivers\ss_bmdm.sys
2010-08-16 22:04 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bwhnt.sys
2010-08-16 22:04 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bwh.sys
2010-08-16 22:04 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bcmnt.sys
2010-08-16 22:04 . 2009-03-20 09:01 12160 ----a-w- c:\windows\system32\drivers\ss_bcm.sys
2010-08-16 22:04 . 2010-08-16 22:05 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-08-16 21:54 . 2009-03-31 08:39 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2010-08-16 21:54 . 2009-03-31 08:39 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2010-08-16 21:54 . 2009-03-31 08:39 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2010-08-16 21:53 . 2010-08-16 21:53 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\Samsung
2010-08-16 21:52 . 2010-08-16 21:52 -------- d-----w- c:\program files\MarkAny
2010-08-16 21:52 . 2010-08-16 22:05 -------- d-----w- c:\program files\PC Connectivity Solution
2010-08-16 21:51 . 2010-08-16 22:05 -------- d-----w- c:\program files\Samsung
2010-08-16 21:50 . 2010-08-16 21:50 -------- d-----w- c:\users\Kerry Dunne\AppData\Local\Downloaded Installations
2010-08-12 15:25 . 2010-06-16 16:39 912776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-12 15:25 . 2010-06-16 14:01 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-08-12 15:22 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-12 15:22 . 2010-06-29 15:47 834048 ----a-w- c:\windows\system32\wininet.dll
2010-08-12 15:22 . 2010-06-28 16:13 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-08-12 15:22 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-08-12 15:20 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 15:20 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 15:20 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 15:20 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 01:43 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 01:43 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 01:43 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 17:50 . 2010-03-16 20:09 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\Skype
2010-09-03 15:44 . 2010-09-03 15:42 421442 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-09-03 15:44 . 2010-09-03 15:44 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\CheckPoint
2010-09-03 15:43 . 2010-09-03 15:43 -------- d-----w- c:\program files\CheckPoint
2010-09-03 14:57 . 2009-03-11 14:34 -------- d-----w- c:\programdata\Norton
2010-09-02 20:42 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2010-09-02 20:42 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2010-09-02 20:42 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2010-09-02 20:42 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2010-09-02 20:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-02 20:42 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2010-09-02 20:41 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-08-28 11:19 . 2009-03-11 14:11 -------- d-----w- c:\programdata\Microsoft Help
2010-08-27 09:38 . 2010-02-25 11:55 104056 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-08-16 21:53 . 2009-03-11 14:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-16 21:48 . 2009-03-11 14:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-16 21:38 . 2010-01-12 21:56 -------- d-----w- c:\users\Kerry Dunne\AppData\Roaming\Azureus
2010-08-13 12:45 . 2009-03-11 14:12 -------- d-----w- c:\program files\Microsoft Works
2010-07-30 14:37 . 2010-02-03 19:35 -------- d-----w- c:\programdata\Dl_cats
2010-07-25 21:24 . 2010-07-25 21:24 -------- d-----w- c:\program files\Microsoft Reader
2010-07-25 21:24 . 2009-03-11 14:03 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-23 12:51 . 2010-09-03 15:42 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-06-23 12:51 . 2010-09-03 15:42 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-06-23 12:51 . 2010-09-03 15:42 103936 ----a-w- c:\windows\system32\zlcommdb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"WarReg_PopUp"="c:\program files\eMachines\WR_PopUp\WarReg_PopUp.exe" [2008-11-04 57344]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-11 6724128]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-05 154136]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2009-02-12 862728]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-05 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-05 178712]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-28 30192]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-04-03 698912]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-02-11 1833504]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]

c:\users\Kerry Dunne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2010-06-28 20:57 2837864 ----a-w- c:\progra~1\ALWILS~1\Avast5\AvastUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtamon]
2008-06-24 06:27 16624 ----a-w- c:\program files\Dell V305\dldtamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtmon.exe]
2008-06-24 06:26 668912 ----a-w- c:\program files\Dell V305\dldtmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ca,5e,5c,15,e0,4a,cb,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 135664]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-28 30192]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2008-12-30 103040]
R4 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe [2008-02-25 595184]
R4 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\dldtserv.exe [2008-02-25 99568]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-04-03 723488]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2010-05-26 26352]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2010-05-26 493032]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-01-15 49664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 19:04
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'Explorer.exe'(2728)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conime.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\wbem\unsecapp.exe
c:\users\KERRYD~1\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\Apntex.exe
.
**************************************************************************
.
Completion time: 2010-09-03 19:08:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-03 18:08
ComboFix2.txt 2010-09-03 16:15

Pre-Run: 106,903,404,544 bytes free
Post-Run: 106,486,296,576 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=1 Sets=1,5,6,7
- - End Of File - - 33BE707A283AC0D7DF323250FC962A42

#12 Příspěvek od **vyosek** » 03 zář 2010 19:22

Stahnete Malwarebytes' Anti-Malware (zkracene MBAM) (viz muj podpis)

Provedte aktualizaci - treti zalozka
Provedte uplny sken - nic nemazte
MBAM miva obcas falesne detekce, proto vlozte log do prispevku a pockejte na posouzeni

morlock · #13 Příspěvek od **morlock** » 03 zář 2010 20:50

Scan hotov - tady je log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4536

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

03/09/2010 20:47:35
mbam-log-2010-09-03 (20-47-35).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 264871
Time elapsed: 1 hour(s), 3 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Users\Kerry Dunne\AppData\Roaming\Microsoft\Windows\Templates\memory.tmp.vir (Spyware.Passwords.XGen) -> No action taken.
C:\Windows\System32\drivers\ltjgdmbd.sys (Rootkit.Agent) -> No action taken.

#14 Příspěvek od **vyosek** » 04 zář 2010 05:10

Vse co nasel MBAM smazte

A jdem na kontrolu rootkitu

jestli se nam jeste nejaky neschovava

Odinstalujte vsechny emulatory virtualnich jednotek (Deamon Tools, Alcohol 120%, PowerISO apod)

Stahnete SPTD http://www.duplexsecure.com/en/downloads

Vyberte z uvedene stranky verzi dle sveho operacniho systemu (32(x86)bit ci 64(x64)bit)
Ulozte na plochu a spustte
Zvolte moznost Uninstall a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete Defogger http://www.jpshortstuff.247fixes.com/Defogger.exe

Ulozte na plochu a spustte
Kliknete na Disable a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R

Vyskoci na Vas okenko, do ktereho zkopirujte text nize
Kód: Vybrat vše
```
"%userprofile%\Desktop\mbr" -t
```
Kliknete na OK
Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte

Dejte logy z Gmeru - viz muj podpis

morlock · #15 Příspěvek od **morlock** » 04 zář 2010 16:54

Zdravim, snad jsem vse udelal dle navodu - tady je log z MBR a 2 logy z gmeru, druhy log z gmeru je desne dlouhy tak jsem ho musel rozsekat na nekolik casti

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: error reading MBR

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-09-04 16:10:32
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\KERRYD~1\AppData\Local\Temp\awlyiaog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-04 16:40:21
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\KERRYD~1\AppData\Local\Temp\awlyiaog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x8E324570]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcCreatePort [0x8E324E46]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x8E323FC6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8E31D884]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8E33EFA8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x8E324AD0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x8E338E42]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x8E33926A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x8E3436FE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x8E324C2E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8E31E5B4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8E340A50]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8E340346]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x8E337C26]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8E34141A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x8E341658]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x8E341B0A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8E31E16C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x8E33B358]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0x8E33AF46]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8E3424E0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8E341DD4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x8E323B5E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8E342F40]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x8E324292]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8E31E9BE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0x8E342A68]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8E33FA6A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x8E339F66]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x8E339C96]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x8E3396DE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 13D 820E18A0 8 Bytes [70, 45, 32, 8E, 46, 4E, 32, ...] {JO 0x47; XOR CL, [ESI-0x71cdb1ba]}
.text ntkrnlpa.exe!KeSetEvent + 1C1 820E1924 4 Bytes [C6, 3F, 32, 8E]
.text ntkrnlpa.exe!KeSetEvent + 1D9 820E193C 4 Bytes [84, D8, 31, 8E]
.text ntkrnlpa.exe!KeSetEvent + 1E9 820E194C 4 Bytes [A8, EF, 33, 8E]
.text ntkrnlpa.exe!KeSetEvent + 205 820E1968 12 Bytes [D0, 4A, 32, 8E, 42, 8E, 33, ...] {ROR BYTE [EDX+0x32], 0x1; MOV ES, [EDX-0x72]; XOR ECX, [ESI-0x71cc6d96]}
.text ...

VIRY.CZ

pravdepodobne rootkit v notebooku

pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku

Re: pravdepodobne rootkit v notebooku