VIRY.CZ

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-14 19:19:36
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kfkyrfod.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF770287E] <-- ROOTKIT !!!
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7702BFE] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

? tsylszz.sys Zařízení připojené k systému nefunguje. !
PAGE Fastfat.sys F728FCC0 4 Bytes CALL 867912F9
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF6E5423F]
? C:\DOCUME~1\User\LOCALS~1\Temp\mbr.sys Systém nemůže nalézt uvedený soubor. !

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\svchost.exe[3172] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
.text C:\Program Files\Mozilla Firefox\firefox.exe[3464] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 51EC8B55
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 1845DB51
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] F855DD56
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] E8084DDC
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 000004D2
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] FF184589
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 40516015
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] F845DD00
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 8B104DDC
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 1865DAF0
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 0004B9E8
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 8BC88B00
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] F74199C6
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] C28B5EF9
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 2B08244C
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 9904244C
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] 8BF9F741
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 244403C2
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] FF56C304
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 40516015
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 244C8B00
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 244403C1
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 15FFC308
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [00405160] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 04244C8B
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] F9F74199
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] FFC3C28B
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 40516015
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 646A9900
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 33F9F759
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 24543BC0
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C09C0F04
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 0204EC81
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 68560000
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 00000100
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 515815FF
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B590040
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 00FFB8F0
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 8D500000
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] FFFEFC8D
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C93351FF
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 558D5151
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 8D5052FC
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFDFC85
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 40504415
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 56216A00
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] FFFC75FF
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 40515C15
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 0CC48300
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] C01BD8F7
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] C95EC623
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 458B5151
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 33565308
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 57C88BF6
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 33FC7589
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 01518DFF
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 8441198A
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 2BF975DB
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 802974CA
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 7420063C
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 75FF850A
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 45FF470C
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8506EBFC
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 46C88BFF
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 8A01518D
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] DB844119
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] CA2BF975
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] D772F13B
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 5FFC458B
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C3C95B5E
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 83EC8B55
IAT C:\WINDOWS\System32\svchost.exe[3172] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 56530CEC

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom 86762450

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \FileSystem\Fastfat \Fat 86762450

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] tsylszz <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\tsylszz@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\tsylszz@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\tsylszz@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\tsylszz@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\tsylszz@{f86c0ae6-5097-0fda-a0af-31caea571c47} 1
Reg HKLM\SYSTEM\ControlSet003\Services\tsylszz@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\tsylszz@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\tsylszz@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\tsylszz@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\tsylszz@{f86c0ae6-5097-0fda-a0af-31caea571c47} 1

---- EOF - GMER 1.0.15 ----

Znovu spusťte Gmer a přepněte se na záložku "CMD". Do horního černého okna zkopírujte následující skript a klikněte na tlačítko "Run".

Kód: Vybrat vše

gmer -killall
gmer -del service "tsylszz"
gmer -reboot

Stáhněte a uložte, nejlépe na plochu http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Vypněte všechny rezidentní bezpečnostní programy - firewally, antiviry, antispywary
Spusťte aplikaci pod účtem s oprávněním Administrátora (Správce), ihned po startu se zobrazí stránka s licenčními podmínkami, pokračujte stisknutím tlačítka "Ano"
Dále postupujte dle pokynů, během scanu nespouštějte jiné aplikace a neklikejte do zobrazujícího se okna
Scan by měl trvat okolo 5 - 10 minut, po dokončení Combofix zobrazí log C:\ComboFix.txt , který sem vložte.
Během skenování může být počítač restartován.

Po sputění skriptu v CDM záložce GMER
asi neproběhlo to co mělo, log ze spodního černého okna:
gmer nenˇ n zvem vnitýnˇho ani vnŘjçˇho pýˇkazu,
spustiteln‚ho programu nebo d vkov‚ho souboru.
gmer nenˇ n zvem vnitýnˇho ani vnŘjçˇho pýˇkazu,
spustiteln‚ho programu nebo d vkov‚ho souboru.
gmer nenˇ n zvem vnitýnˇho ani vnŘjçˇho pýˇkazu,
spustiteln‚ho programu nebo d vkov‚ho souboru.

Pokračujte ComboFixem.

ComboFix 10-05-14.06 - User 15.05.2010 10:47:21.1.1 - FAT32x86
Spuštěný z: c:\documents and settings\User\Dokumenty\Stažené soubory\ComboFix.exe
c:\windows\system32\vbscript.dll chybí
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-04-15 do 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-14 16:10 . 2010-05-14 16:10 -------- d-----w- C:\_OTL
2010-05-11 20:31 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 20:31 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 20:31 . 2010-05-11 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-10 17:48 . 2010-05-10 17:48 -------- d-----w- c:\documents and settings\LocalService\Plocha
2010-05-10 17:36 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-10 17:36 . 2010-05-10 17:36 -------- d-----w- c:\windows\system32\DRVSTORE
2010-05-10 17:36 . 2010-05-10 17:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-10 17:26 . 2010-05-10 17:26 -------- d-----w- c:\program files\Lavasoft
2010-05-08 18:22 . 2010-05-08 18:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-28 16:54 . 2010-04-28 16:54 -------- d-----w- c:\program files\Zoner
2010-04-28 16:54 . 2010-04-28 16:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-27 17:43 . 2010-04-27 17:43 -------- d-----w- c:\program files\JPEG Resampler
2010-04-27 16:58 . 2010-04-27 16:58 -------- d-----w- c:\program files\FastStone Photo Resizer
2010-04-20 14:39 . 2010-04-20 14:39 -------- d-----w- c:\program files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 18:45 . 2010-04-01 18:45 -------- d-----w- c:\program files\Essentials Codec Pack
2010-03-21 17:13 . 2010-03-21 17:13 -------- d-----w- c:\program files\Microsoft Silverlight
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 11:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"preload"="c:\windows\RUNXMLPL.exe" [2004-04-20 40960]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-03-30 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-05-19 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2004-10-11 245760]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-04-18 81920]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 07:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 wwupqgp;wwupqgp; [x]
R1 mailKmd;mailKmd; [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 133104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-05-10 1285864]
R3 SI15CI;SI15CI;c:\elements\1stboot\SI15CI.SYS [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-18 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-08 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-18 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-18 297752]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.sys [2000-12-19 2343]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - kfkyrfod
*Deregistered* - tsylszz
.
Obsah adresáře 'Naplánované úlohy'

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 14:41]

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 14:41]

2010-05-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:34]
.
.
------- Doplňkový sken -------
.
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Data aplikací\Mozilla\Firefox\Profiles\kdf2207o.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 10:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tsylszz]

.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2024)
c:\program files\CyberLink\Shared Files\CLRCEngine.dll
.
Celkový čas: 2010-05-15 10:52:47
ComboFix-quarantined-files.txt 2010-05-15 08:52

Před spuštěním: Volných bajtů: 40 260 501 504
Po spuštění: Volných bajtů: 40 225 177 600

WindowsXP-KB310994-SP2-Home-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - 0EF4824FAEF352CBAE179B5F742DA03F

Pokud nemáte, přesuňte Combofix na plochu

Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.

Kód: Vybrat vše

Driver::
wwupqgp
mailKmd
kfkyrfod
tsylszz

Restore::
C:\WINDOWS\System32\svchost.exe

Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
Po aplikaci na Vás vypadne další log,vložte ho sem

Může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

ComboFix 10-05-14.06 - User 15.05.2010 11:24:10.2.1 - FAT32x86
Spuštěný z: c:\documents and settings\User\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\User\Plocha\CFScript.txt
c:\windows\system32\vbscript.dll chybí
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\svchost.exe . . . je infikován!!

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KFKYRFOD
-------\Legacy_TSYLSZZ
-------\Service_kfkyrfod
-------\Service_mailKmd
-------\Service_tsylszz
-------\Service_wwupqgp

((((((((((((((((((((((((( Soubory vytvořené od 2010-04-15 do 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-14 16:10 . 2010-05-14 16:10 -------- d-----w- C:\_OTL
2010-05-11 20:31 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 20:31 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 20:31 . 2010-05-11 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 07:07 . 2010-05-15 09:28 859648 ----a-w- c:\windows\system32\drivers\tsylszz.sys
2010-05-10 17:48 . 2010-05-10 17:48 -------- d-----w- c:\documents and settings\LocalService\Plocha
2010-05-10 17:36 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-10 17:36 . 2010-05-10 17:36 -------- d-----w- c:\windows\system32\DRVSTORE
2010-05-10 17:36 . 2010-05-10 17:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-10 17:26 . 2010-05-10 17:26 -------- d-----w- c:\program files\Lavasoft
2010-05-08 18:22 . 2010-05-08 18:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-28 16:54 . 2010-04-28 16:54 -------- d-----w- c:\program files\Zoner
2010-04-28 16:54 . 2010-04-28 16:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-27 17:43 . 2010-04-27 17:43 -------- d-----w- c:\program files\JPEG Resampler
2010-04-27 16:58 . 2010-04-27 16:58 -------- d-----w- c:\program files\FastStone Photo Resizer
2010-04-20 14:39 . 2010-04-20 14:39 -------- d-----w- c:\program files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 18:45 . 2010-04-01 18:45 -------- d-----w- c:\program files\Essentials Codec Pack
2010-03-21 17:13 . 2010-03-21 17:13 -------- d-----w- c:\program files\Microsoft Silverlight
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 11:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"preload"="c:\windows\RUNXMLPL.exe" [2004-04-20 40960]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-03-30 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-05-19 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2004-10-11 245760]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-04-18 81920]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 07:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 133104]
R3 SI15CI;SI15CI;c:\elements\1stboot\SI15CI.SYS [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-18 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-08 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-18 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-18 297752]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-05-10 1285864]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.sys [2000-12-19 2343]

.
Obsah adresáře 'Naplánované úlohy'

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 14:41]

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 14:41]

2010-05-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:34]
.
.
------- Doplňkový sken -------
.
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Data aplikací\Mozilla\Firefox\Profiles\kdf2207o.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 11:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3376)
c:\program files\CyberLink\Shared Files\CLRCEngine.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\wltrysvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\bcmwltry.exe
c:\acer\eManager\anbmServ.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\WLTRAY.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\acer\eRecovery\Monitor.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Celkový čas: 2010-05-15 11:34:31 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-05-15 09:34
ComboFix2.txt 2010-05-15 08:52

Před spuštěním: Volných bajtů: 40 234 418 176
Po spuštění: Volných bajtů: 40 144 633 856

- - End Of File - - EE8FF5B6EA4F5EB5AE19CF6607B23560

Po restaru při spuštění Combofixu se mi zapnulo AVG a vyhodilo hlášku o záchytu Agent.rootkit.AG použil jsem tlačítko "Ignore"

Stáhněte a uložte na plochu SystemLook http://jpshortstuff.247fixes.com/SystemLook.exe

Spusťte, do okénka zkopírujte text z bílého okna.

Kód: Vybrat vše

:filefind
svchost.ex
vbscript.dll

klikněte na Look, po dokončení skenu na Vás vyskočí log, zkopírujte ho sem.

Kde AVG vir našlo

C:\WINDOWS\System32\Drivers\tsylszz.sys
Trojan horse Rootkit-Agent.EG

C:\Program Files\AVG\AVG8\Avgcmgr.exe
Proces ID: 376

C:\Program Files\AVG\AVG8\fixcfg.exe
Proces ID: 316

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:14 on 15/05/2010 by User (Administrator - Elevation successful)

========== filefind ==========

Searching for "svchost.ex"
No files found.

Searching for "vbscript.dll "
C:\WINDOWS\SoftwareDistribution\Download\ab04a73630759d84a46114bfca20f64c\vbscript.dll --a--- 434176 bytes [02:22 14/04/2008] [02:22 14/04/2008] BB1523FB4043ECB6CF6909BCCEDC1D7A

-=End Of File=-

Stáhněte a uložte na plochu SystemLook http://jpshortstuff.247fixes.com/SystemLook.exe

Spusťte, do okénka zkopírujte text z bílého okna.

Kód: Vybrat vše

:filefind
svchost.exe

klikněte na Look, po dokončení skenu na Vás vyskočí log, zkopírujte ho sem.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:41 on 15/05/2010 by User (Administrator - Elevation successful)

========== filefind ==========

Searching for "svchost.exe"
C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 14336 bytes [08:51 15/05/2010] [03:00 18/08/2004] DFBA2915B0BF58ABB288CD4C9318CB3F
C:\WINDOWS\SoftwareDistribution\Download\ab04a73630759d84a46114bfca20f64c\svchost.exe --a--- 14336 bytes [02:22 14/04/2008] [02:22 14/04/2008] BE4A520E29B6391F49E79CCC52044D93
C:\WINDOWS\system32\svchost.exe --a--- 14336 bytes [22:00 31/12/1979] [03:00 18/08/2004] DFBA2915B0BF58ABB288CD4C9318CB3F

-=End Of File=-

Následující kroky proveďte přesně v pořadí jak jsou.

Obrázek

Stáhněte a rozbalte soubor z přílohy na disk c: (Cesta souboru bude c:\svchost.exe, nesmí to být archív

)

svchost.zip: (7.49 KiB) Staženo 28 x

Pokud nemáte, přesuňte Combofix na plochu

otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.

Kód: Vybrat vše

File::
C:\WINDOWS\System32\Drivers\tsylszz.sys

FCopy:: 
C:\svchost.exe | C:\WINDOWS\System32\svchost.exe

Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
Po aplikaci na Vás vypadne další log,vložte ho sem

Může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

ComboFix 10-05-14.06 - User 15.05.2010 12:58:33.3.1 - FAT32x86
Spuštěný z: c:\documents and settings\User\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\User\Plocha\CFScript.txt

FILE ::
"c:\windows\System32\Drivers\tsylszz.sys"
c:\windows\system32\vbscript.dll chybí
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\svchost.exe

.
--------------- FCopy ---------------

c:\svchost.exe --> c:\WINDOWS\System32\svchost.exe
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-04-15 do 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-14 16:10 . 2010-05-14 16:10 -------- d-----w- C:\_OTL
2010-05-11 20:31 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 20:31 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 20:31 . 2010-05-11 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-10 17:48 . 2010-05-10 17:48 -------- d-----w- c:\documents and settings\LocalService\Plocha
2010-05-10 17:36 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-10 17:36 . 2010-05-10 17:36 -------- d-----w- c:\windows\system32\DRVSTORE
2010-05-10 17:36 . 2010-05-10 17:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-10 17:26 . 2010-05-10 17:26 -------- d-----w- c:\program files\Lavasoft
2010-05-08 18:22 . 2010-05-08 18:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-28 16:54 . 2010-04-28 16:54 -------- d-----w- c:\program files\Zoner
2010-04-28 16:54 . 2010-04-28 16:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-27 17:43 . 2010-04-27 17:43 -------- d-----w- c:\program files\JPEG Resampler
2010-04-27 16:58 . 2010-04-27 16:58 -------- d-----w- c:\program files\FastStone Photo Resizer
2010-04-20 14:39 . 2010-04-20 14:39 -------- d-----w- c:\program files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 18:45 . 2010-04-01 18:45 -------- d-----w- c:\program files\Essentials Codec Pack
2010-03-21 17:13 . 2010-03-21 17:13 -------- d-----w- c:\program files\Microsoft Silverlight
.

((((((((((((((((((((((((((((( SnapShot@2010-05-15_09.31.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 1979-12-31 22:00 . 2009-08-21 10:05 14336 c:\windows\system32\dllcache\svchost.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 11:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"preload"="c:\windows\RUNXMLPL.exe" [2004-04-20 40960]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-03-30 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-05-19 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2004-10-11 245760]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-04-18 81920]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 07:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 133104]
R3 SI15CI;SI15CI;c:\elements\1stboot\SI15CI.SYS [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-18 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-08 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-18 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-18 297752]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-05-10 1285864]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.sys [2000-12-19 2343]

.
Obsah adresáře 'Naplánované úlohy'

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 14:41]

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 14:41]

2010-05-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:34]
.
.
------- Doplňkový sken -------
.
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Data aplikací\Mozilla\Firefox\Profiles\kdf2207o.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 13:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Celkový čas: 2010-05-15 13:05:14
ComboFix-quarantined-files.txt 2010-05-15 11:05
ComboFix2.txt 2010-05-15 09:34
ComboFix3.txt 2010-05-15 08:52

Před spuštěním: Volných bajtů: 40 170 094 592
Po spuštění: Volných bajtů: 40 158 429 184

- - End Of File - - 030982B8C732544606BC32B3E30AEAB3

Poprosím o nové logy z Gmer.

VIRY.CZ

Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%

Re: Prosím o kontrolu logu .SVCHOST.EXE proces 99%