Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [Rtk]

[Hybo]

Dobrý den,
prosím o pomoc, můj problém je takový:

Po startu Win XP s nainstalovaným AVAST Free se PC zasekne = nereaguje. Kurzor myši se pohybuje, ale PC na nic nereaguje a když občas jo, tak s několikaminutovým zpožděním. Pokud v nouzovém režimu odinstaluju AVAST, PC funguje normálně. Po opětovné instalaci antiviru funguje PC pár dní bez problému, ale potom nastane stejná situace (zaseknutí). Po otestování pevného disku antivirem bylo nalezeno několik win32: rootkit-gen [Rtk] a údajně došlo k přesunutí do virové truhly. Prosím Vás tedy o radu, jak mám postupovat při odstranění této havěti. Z jakých programů mám poslat logy, jestli je provést s odinstalovaným avastem v normálním režimu, nebo v nouzovém režimu.... atd.

Moc děkuji za Vaše odpovědi.

[vyosek]

Zdravim a pekny den preji

Zatim pracujte v nouzovem rezimu

Jako prvni Vas poprosim o log z RSIT - viz muj podpis

[Hybo]

Logfile of random's system information tool 1.08 (written by random/random)
Run by Administrator at 2011-05-19 12:27:37
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 10 GB (52%) free of 20 GB
Total RAM: 511 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:27:41, on 19.5.2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Plocha\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
O4 - HKCU\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Povolit program Bezdrátová klávesnice a myš Labtec.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E01B581-7DC7-4BA6-8D4D-D9BF1C987BA0}: NameServer = 192.168.111.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 4376 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-02-09 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2011-02-09 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Smapp"=C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [2003-05-05 143360]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2010-02-10 61440]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-09-23 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-10-29 249064]
"avast"=C:\Program Files\AVAST Software\Avast\avastUI.exe [2011-05-10 3459712]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\CTFMON.EXE [2004-08-17 15360]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide1"=cmd.exe /C move /Y C:\WINDOWS\System32\syssetub.dll C:\WINDOWS\System32\syssetup.dll []
"nltide2"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N []

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Povolit program Bezdrátová klávesnice a myš Labtec.lnk - C:\Program Files\Bezdrátová klávesnice a myš Labtec\MagicKey.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2010-02-11 155648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\CNAB4RPK.EXE"="C:\WINDOWS\system32\CNAB4RPK.EXE:*:Enabled:Canon LBP2900 RPC Server Process"
"C:\Program Files\Miranda IM\miranda32.exe"="C:\Program Files\Miranda IM\miranda32.exe:*:Enabled:Miranda IM"
"C:\totalcmd\TOTALCMD.EXE"="C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2011-05-19 12:26:37 ----D---- C:\WINDOWS\CSC
2011-05-19 12:23:06 ----D---- C:\rsit
2011-05-19 12:23:06 ----D---- C:\Program Files\trend micro
2011-05-17 10:16:59 ----A---- C:\WINDOWS\system32\drivers\aswTdi.sys
2011-05-17 10:16:59 ----A---- C:\WINDOWS\system32\drivers\aswSP.sys
2011-05-17 10:16:59 ----A---- C:\WINDOWS\system32\drivers\aswSnx.sys
2011-05-17 10:16:59 ----A---- C:\WINDOWS\system32\drivers\aswRdr.sys
2011-05-17 10:16:59 ----A---- C:\WINDOWS\system32\drivers\aswmon2.sys
2011-05-17 10:16:59 ----A---- C:\WINDOWS\system32\drivers\aswmon.sys
2011-05-17 10:16:59 ----A---- C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011-05-17 10:16:59 ----A---- C:\WINDOWS\system32\drivers\aavmker4.sys
2011-05-17 10:16:47 ----A---- C:\WINDOWS\system32\aswBoot.exe
2011-04-28 12:42:34 ----SHD---- C:\RECYCLER
2011-04-26 17:27:19 ----D---- C:\Program Files\VideoLAN

======List of files/folders modified in the last 1 months======

2011-05-19 12:27:20 ----D---- C:\Documents and Settings\Administrator\Data aplikací\Mozilla
2011-05-19 12:27:08 ----A---- C:\WINDOWS\ntbtlog.txt
2011-05-19 12:26:37 ----D---- C:\WINDOWS
2011-05-19 12:23:06 ----RD---- C:\Program Files
2011-05-19 11:24:10 ----D---- C:\WINDOWS\Temp
2011-05-19 11:24:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-05-19 11:13:24 ----D---- C:\WINDOWS\Prefetch
2011-05-18 21:34:25 ----D---- C:\WINDOWS\system32
2011-05-17 10:44:20 ----D---- C:\WINDOWS\system32\CatRoot2
2011-05-17 10:16:59 ----D---- C:\WINDOWS\system32\drivers
2011-05-17 10:16:56 ----SHD---- C:\WINDOWS\Installer
2011-05-17 10:16:54 ----D---- C:\WINDOWS\WinSxS
2011-05-17 10:16:54 ----D---- C:\Program Files\Common Files\Microsoft Shared
2011-05-17 10:16:32 ----D---- C:\Documents and Settings\All Users\Data aplikací\AVAST Software
2011-05-17 10:12:25 ----D---- C:\Qoobox
2011-05-12 19:48:32 ----D---- C:\Program Files\Mozilla Firefox

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-07-26 639224]
R0 uagp35;Filtr Microsoft AGPv3.5; C:\WINDOWS\system32\DRIVERS\uagp35.sys [2004-08-04 44672]
R0 viaagp1;VIA AGP Filter; C:\WINDOWS\system32\DRIVERS\viaagp1.sys [2003-07-02 27904]
R0 viasraid;viasraid; C:\WINDOWS\system32\drivers\viasraid.sys [2003-10-31 77312]
R1 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2011-05-10 25432]
R1 kbfilter;Keyboard Filter Driver; C:\WINDOWS\system32\drivers\kbfilter.sys [2003-03-27 11776]
R1 moufiltr;Mouse Filter Driver; C:\WINDOWS\system32\drivers\moufiltr.sys [2003-01-23 9548]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter; C:\WINDOWS\system32\DRIVERS\yukonwxp.sys [2003-11-10 174464]
S1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2011-05-10 30808]
S1 AmdK7;Ovladač procesoru AMD K7; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2006-11-18 41216]
S1 aswSnx;aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [2011-05-10 441176]
S1 aswSP;aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [2011-05-10 307928]
S1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2011-05-10 49240]
S2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\drivers\aswFsBlk.sys [2011-05-10 19544]
S2 aswMon2;aswMon2; C:\WINDOWS\system32\drivers\aswMon2.sys [2011-05-10 102616]
S2 EIO;EIO; \??\C:\WINDOWS\system32\drivers\EIO.sys []
S3 a0dqm0wg;a0dqm0wg; C:\WINDOWS\system32\drivers\a0dqm0wg.sys []
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2010-02-11 3565056]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-07-15 578368]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-10-25 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2010-02-11 602112]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2010-02-10 593920]
S2 avast! Antivirus;avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-05-10 42184]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2011-02-02 153376]
S2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
S2 StarWindService;StarWind iSCSI Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe [2005-04-02 217600]
S2 TomTomHOMEService;TomTomHOMEService; C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 UMWdf;Sada ovladačů pro uživatelský režim systému Windows; C:\WINDOWS\system32\wdfmgr.exe [2004-08-10 38912]

-----------------EOF-----------------

[vyosek]

Pri stahovani ComboFixu (navod a postup nize), jej ulozte jako Beruska.com

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK
Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Vypnete vsechny rezidentni bezpecnostní programy - firewally, antiviry, antispywary apod.
• Pokud mate Win XP spustte pod uctem Spravce\Administratora
• Pokud mate Win Vista ci Win 7, kliknete na Combofix pravym a dejte Run As Administrator ci Spustit jako spravce
• Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
• Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
• Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
• Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
• Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte
• Detailni postup vc. obrazku mate zde http://www.bleepingcomputer.com/combofi ... t-combofix

[Hybo]

Děkuji za Váš čas a za to, že se mi věnujete.

ComboFix při spuštění hlásí, že mám zaplý rezidentní štít Avastu, abych ho ukončil před pokračováním. V procesech správce úloh ale žádný proces, který by souvisel s Avastem nevidím. Jak ho mám tedy ukončit?

[vyosek]

Pokracujte dale, on v nouzovem rezimu nepracuje ale CFko si to mysli...

[Hybo]

ComboFix 11-05-18.03 - Administrator 19.05.2011 12:45:57.6.1 - x86 NETWORK
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.283 [GMT 2:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\Beruska.com.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Miroslav Boháč\WINDOWS
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-04-19 do 2011-05-19 )))))))))))))))))))))))))))))))
.
.
2011-05-19 10:27 . 2011-05-19 10:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Data aplikací\Mozilla
2011-05-19 10:23 . 2011-05-19 10:27 -------- d-----w- c:\program files\trend micro
2011-05-19 10:23 . 2011-05-19 10:23 -------- d-----w- C:\rsit
2011-05-17 08:16 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-17 08:16 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-17 08:16 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-17 08:16 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-17 08:16 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-17 08:16 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-17 08:16 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-17 08:16 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-17 08:16 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-05-17 08:16 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-28 10:41 . 2011-04-28 10:41 -------- d-----w- c:\documents and settings\Miroslav Boháč\Local Settings\Data aplikací\GHISLER
2011-04-26 15:29 . 2011-04-26 15:29 -------- d-----w- c:\documents and settings\Miroslav Boháč\Data aplikací\vlc
2011-04-26 15:27 . 2011-04-26 15:27 -------- d-----w- c:\program files\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-30 12:40 . 2011-04-04 09:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2006-11-18 . 43EB41219C6BE8CAE74E79959562607A . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-03-17_19.10.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 22:02 . 2009-07-11 22:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
- 2001-10-25 15:00 . 2010-10-31 15:31 58596 c:\windows\system32\perfc009.dat
+ 2001-10-25 15:00 . 2011-03-27 15:16 58596 c:\windows\system32\perfc009.dat
- 2001-10-25 15:00 . 2010-10-31 15:31 68736 c:\windows\system32\perfc005.dat
+ 2001-10-25 15:00 . 2011-03-27 15:16 68736 c:\windows\system32\perfc005.dat
+ 2009-07-11 22:02 . 2009-07-11 22:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2001-10-25 15:00 . 2011-03-27 15:16 392296 c:\windows\system32\perfh009.dat
- 2001-10-25 15:00 . 2010-10-31 15:31 392296 c:\windows\system32\perfh009.dat
- 2001-10-25 15:00 . 2010-10-31 15:31 389664 c:\windows\system32\perfh005.dat
+ 2001-10-25 15:00 . 2011-03-27 15:16 389664 c:\windows\system32\perfh005.dat
+ 2011-04-26 15:18 . 2011-04-26 15:18 235168 c:\windows\system32\Macromed\Flash\FlashUtil10p_Plugin.exe
+ 2010-11-07 15:55 . 2011-02-02 20:40 157472 c:\windows\system32\javaws.exe
- 2010-11-07 15:55 . 2010-11-12 17:53 157472 c:\windows\system32\javaws.exe
+ 2010-11-07 15:55 . 2011-02-02 20:40 145184 c:\windows\system32\javaw.exe
- 2010-11-07 15:55 . 2010-11-12 17:53 145184 c:\windows\system32\javaw.exe
- 2010-11-07 15:55 . 2010-11-12 17:53 145184 c:\windows\system32\java.exe
+ 2010-11-07 15:55 . 2011-02-02 20:40 145184 c:\windows\system32\java.exe
- 2010-07-25 20:44 . 2010-11-12 17:53 472808 c:\windows\system32\deployJava1.dll
+ 2010-07-25 20:44 . 2011-02-02 20:40 472808 c:\windows\system32\deployJava1.dll
+ 2011-03-17 19:16 . 2011-03-17 19:16 180224 c:\windows\Installer\5a981.msi
+ 2011-03-20 17:47 . 2011-03-20 17:47 146944 c:\windows\Installer\2ba453.msi
+ 2009-07-11 22:02 . 2009-07-11 22:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
- 2010-07-23 10:40 . 2011-03-17 18:45 6053536 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2010-07-23 10:40 . 2011-04-26 15:18 6053536 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
-- Snímek resetován k současnému datu --
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-2-3 113664]
Povolit program Bezdr tov  kl vesnice a myç Labtec.lnk - c:\program files\Bezdr tov  kl vesnice a myç Labtec\MagicKey.exe [2010-7-23 258048]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1756:TCP"= 1756:TCP:pevybzu
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [26.7.2010 15:27 639224]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [13.4.2004 19:09 77312]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [23.7.2010 12:19 11776]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [17.5.2011 10:16 441176]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17.5.2011 10:16 307928]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17.5.2011 10:16 19544]
S2 hvhmh;System Security;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 16:49 14336]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [9.3.2011 14:30 92592]
S2 tykzv;Center Server;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 16:49 14336]
S2 wrvgfkw;Config Universal;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 16:49 14336]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hvhmh
wrvgfkw
tykzv
.
.
------- Doplňkový sken -------
.
TCP: {5E01B581-7DC7-4BA6-8D4D-D9BF1C987BA0} = 192.168.111.100
FF - ProfilePath - c:\documents and settings\Administrator\Data aplikací\Mozilla\Firefox\Profiles\9nls0fg3.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-19 12:48
Windows 5.1.2600 Service Pack 2 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hvhmh]
"ServiceDll"="c:\windows\system32\rqtbu.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tykzv]
"ServiceDll"="c:\windows\system32\rqtbu.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wrvgfkw]
"ServiceDll"="c:\windows\system32\rqtbu.dll"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2011-05-19 12:50:00
ComboFix-quarantined-files.txt 2011-05-19 10:49
ComboFix2.txt 2011-03-17 19:12
.
Před spuštěním: Volných bajtů: 10 897 653 760
Po spuštění: Volných bajtů: 10 968 834 048
.
- - End Of File - - D604400E5CA83850767162DE906DA814

[vyosek]

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  KillAll::
  
  Registry::
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
  "1756:TCP"=-
  
  Driver::
  hvhmh
  tykzv
  wrvgfkw
  
  NetSvc::
  hvhmh
  wrvgfkw
  tykzv
  
  Collect::
  c:\windows\system32\rqtbu.dll
  
  Rootkit::
  c:\windows\system32\rqtbu.dll
  
  RegLock::
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
  
  Reboot::
  

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

[Hybo]

Po spuštění skriptu došlo k restartovani PC a spuštění počítače v normálním režimu. Naběhlo okno ComboFixu, ve kterém je "Prosím čekejte". Už je to tak 20min a stále se nic neděje, disk nepracuje. Neměl bych nejdříve odinstalovat Avast?? Nedošlo k zaseknutí PC, jak popisuji výše??

[vyosek]

Zkuste jeste jednou spustit skript, Avast netreba odinstalovavat...

[Hybo]

ComboFix 11-05-18.03 - Administrator 19.05.2011 16:47:16.8.1 - x86 NETWORK
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.392 [GMT 2:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\Beruska.com.exe
Použité ovládací přepínače :: c:\documents and settings\Administrator\Plocha\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_HVHMH
-------\Legacy_TYKZV
-------\Legacy_WRVGFKW
-------\Service_hvhmh
-------\Service_tykzv
-------\Service_wrvgfkw
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-04-19 do 2011-05-19 )))))))))))))))))))))))))))))))
.
.
2011-05-19 10:27 . 2011-05-19 10:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Data aplikací\Mozilla
2011-05-19 10:23 . 2011-05-19 10:27 -------- d-----w- c:\program files\trend micro
2011-05-19 10:23 . 2011-05-19 10:23 -------- d-----w- C:\rsit
2011-05-17 08:16 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-17 08:16 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-17 08:16 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-17 08:16 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-17 08:16 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-17 08:16 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-17 08:16 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-17 08:16 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-17 08:16 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-05-17 08:16 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-28 10:41 . 2011-04-28 10:41 -------- d-----w- c:\documents and settings\Miroslav Boháč\Local Settings\Data aplikací\GHISLER
2011-04-26 15:29 . 2011-04-26 15:29 -------- d-----w- c:\documents and settings\Miroslav Boháč\Data aplikací\vlc
2011-04-26 15:27 . 2011-04-26 15:27 -------- d-----w- c:\program files\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-30 12:40 . 2011-04-04 09:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
Chyba šifrovací služby !!
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-2-3 113664]
Povolit program Bezdr tov  kl vesnice a myç Labtec.lnk - c:\program files\Bezdr tov  kl vesnice a myç Labtec\MagicKey.exe [2010-7-23 258048]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
.
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-26 639224]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-10-31 77312]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 kbfilter;Keyboard Filter Driver; [x]
S2 aswFsBlk;aswFsBlk; [x]
.
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {5E01B581-7DC7-4BA6-8D4D-D9BF1C987BA0} = 192.168.111.100
FF - ProfilePath - c:\documents and settings\Miroslav Boháč\Data aplikací\Mozilla\Firefox\Profiles\0y9qvfkg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.atlas.cz
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-19 16:55
Windows 5.1.2600 Service Pack 2 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(184)
c:\windows\system32\MSCTF.dll
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Bezdrátová klávesnice a myš Labtec\OSD.EXE
.
**************************************************************************
.
Celkový čas: 2011-05-19 16:55:38 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-05-19 14:55
ComboFix2.txt 2011-05-19 10:50
ComboFix3.txt 2011-03-17 19:12
.
Před spuštěním: Volných bajtů: 10 905 800 704
Po spuštění: Volných bajtů: 10 929 938 432
.
- - End Of File - - B82F21B3220A7B82F715691ECBB758A2

[vyosek]

Havet byla pomazana, jak se chova PC

[Hybo]

pořád musím používat nouzový režim, v normálním režimu je počítač po startu stále zaseknutý, nedá se s ním vůbec pracovat a u ikonky avastu v oznamovací oblasti je červený křížek, který se po několika minutách změní v oranžový vykřičník a hlasí, že systém není chráněn... když jsem se to snažil řešit dříve, pomohlo jen to odinstalovaní avastu a opětovné nainstalování a počítač se na pár dní choval normálně, ale pak zase tenhle problém

[vyosek]

Aplikujte AVPTool dle tohoto navodu http://www.viry.cz/forum/viewtopic.php?f=29&t=58179

[Hybo]

Automatická kontrola: dokončeno před 2 min. (události: 30, objekty: 466235, čas: 02:20:59)
19.5.2011 20:05:07 Úloha byla dokončena
19.5.2011 19:52:00 Odstraněno: Trojan-GameThief.Win32.OnLineGames.xvct E:\System Volume Information\_restore{093DF633-362C-47FA-A5C1-A325DCFE189A}\RP99\A0049566.exe
19.5.2011 19:51:50 Zjištěno: Trojan-GameThief.Win32.OnLineGames.xvct E:\System Volume Information\_restore{093DF633-362C-47FA-A5C1-A325DCFE189A}\RP99\A0049566.exe/UPX/data0002
19.5.2011 19:50:02 Odstraněno: not-a-virus:AdWare.Win32.CommonName.df E:\Programy\Vypalování\CloneCD\SetupCloneCD4019.exe
19.5.2011 19:50:01 Zjištěno: not-a-virus:AdWare.Win32.CommonName.df E:\Programy\Vypalování\CloneCD\SetupCloneCD4019.exe
19.5.2011 19:49:47 Odstraněno: not-a-virus:AdWare.Win32.Dap.c E:\Programy\Stahování\Download Accelerator\dap53.exe
19.5.2011 19:49:07 Zjištěno: not-a-virus:AdWare.Win32.Dap.c E:\Programy\Stahování\Download Accelerator\dap53.exe/WISE0021.BIN/dapiebar.dll
19.5.2011 19:45:20 Odstraněno: not-a-virus:AdWare.Win32.MyWay.f E:\Programy\Multimedia\freeripmp3.exe
19.5.2011 19:45:18 Zjištěno: not-a-virus:AdWare.Win32.MyWay.f E:\Programy\Multimedia\freeripmp3.exe/data0011/#
19.5.2011 19:45:18 Zjištěno: not-a-virus:AdWare.Win32.Excite.a E:\Programy\Multimedia\freeripmp3.exe/data0011/#
19.5.2011 19:45:18 Zjištěno: not-a-virus:AdWare.Win32.MyWay.f E:\Programy\Multimedia\freeripmp3.exe/data0011/#/data0005.res
19.5.2011 19:45:17 Zjištěno: not-a-virus:AdWare.Win32.Excite.a E:\Programy\Multimedia\freeripmp3.exe/data0011/#/data0001.res
19.5.2011 19:45:16 Zjištěno: not-a-virus:AdWare.Win32.MyWay.f E:\Programy\Multimedia\freeripmp3.exe/data0011/data0000.res/#
19.5.2011 19:45:15 Zjištěno: not-a-virus:AdWare.Win32.Excite.a E:\Programy\Multimedia\freeripmp3.exe/data0011/data0000.res/#
19.5.2011 19:45:15 Zjištěno: not-a-virus:AdWare.Win32.MyWay.f E:\Programy\Multimedia\freeripmp3.exe/data0011/data0000.res/data0005.res
19.5.2011 19:44:52 Zjištěno: not-a-virus:AdWare.Win32.Excite.a E:\Programy\Multimedia\freeripmp3.exe/data0011/data0000.res/data0001.res
19.5.2011 19:42:17 Odstraněno: Backdoor.Win32.DarkMoon.lv E:\Programy\Komunikace\TeamSpeak\teamspeak2.exe
19.5.2011 19:41:21 Zjištěno: Backdoor.Win32.DarkMoon.lv E:\Programy\Komunikace\TeamSpeak\teamspeak2.exe/data0001
19.5.2011 19:03:41 Odstraněno: Backdoor.Win32.SdBot.tsw D:\System Volume Information\_restore{AA5EECFC-3EBF-4398-B4DF-C4081D10F180}\RP21\A0009371.exe
19.5.2011 19:03:38 Zjištěno: Backdoor.Win32.SdBot.tsw D:\System Volume Information\_restore{AA5EECFC-3EBF-4398-B4DF-C4081D10F180}\RP21\A0009371.exe
19.5.2011 19:03:28 Odstraněno: Backdoor.Win32.SdBot.tsw D:\System Volume Information\_restore{AA5EECFC-3EBF-4398-B4DF-C4081D10F180}\RP19\A0009248.exe
19.5.2011 19:02:24 Zjištěno: Backdoor.Win32.SdBot.tsw D:\System Volume Information\_restore{AA5EECFC-3EBF-4398-B4DF-C4081D10F180}\RP19\A0009248.exe
19.5.2011 18:43:01 Odstraněno: Backdoor.Win32.SdBot.tsw D:\System Volume Information\_restore{61312E10-3246-4B4E-B8F2-DA0E4D77ACAB}\RP72\A0007230.exe
19.5.2011 18:41:49 Zjištěno: Backdoor.Win32.SdBot.tsw D:\System Volume Information\_restore{61312E10-3246-4B4E-B8F2-DA0E4D77ACAB}\RP72\A0007230.exe
19.5.2011 18:26:44 Neošetřeno: Backdoor.Win32.SdBot.tsw D:\Hry\GTR2\rld-gtr2.iso/Crack/GTR2.exe Zápis není podporován
19.5.2011 18:26:44 Zjištěno: Backdoor.Win32.SdBot.tsw D:\Hry\GTR2\rld-gtr2.iso/Crack/GTR2.exe
19.5.2011 18:00:05 Odstraněno: Net-Worm.Win32.Kido.ih C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C92BWLUV\sehmqkl[1].png
19.5.2011 17:59:53 Neošetřeno: Net-Worm.Win32.Kido.ih C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C92BWLUV\sehmqkl[1].png/UPX Nelze dezinfikovat
19.5.2011 17:55:44 Zjištěno: Net-Worm.Win32.Kido.ih C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C92BWLUV\sehmqkl[1].png/UPX
19.5.2011 17:44:08 Úloha byla spuštěna