VIRY.CZ

Jeste jeden skript pro ComboFix - log opet sem Stahnete SytemLook (viz muj podpis) a ulozte jej na plochu

• Do okna vlozte skript nize

• Kód: Vybrat vše

  :filefind
  atapi.sys

• Kliknete na Look
• Tlacitko Look se zmeni na Scanning a zsedne
• Pockejte pokud se tlacitko Scanning opet nezmeni na Look - tak poznate ze SystemLook dokoncil svou praci
• Vyskoci na Vas log s nazvem SystemLook (pripadne bude ulozen na plose), jeho obsah mi sem vlozte

Mate instalacni CD Windowsu

tak tu je to z combofixu

ComboFix 10-11-16.05 - AMD . 11. 2010 15:06:08.16.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1029.18.511.247 [GMT 1:00]
Running from: c:\documents and settings\AMD\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\AMD\Plocha\CFScript.txt
AV: Eset NOD32 Antivirus 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.
The following files were disabled during the run:
c:\program files\iolo\Common\Lib\sguard.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
.

2010-11-17 14:23 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-11-17 14:11 . 2010-11-17 14:53 -------- d-----w- c:\documents and settings\AMD\Local Settings\Data aplikací\ConduitEngine
2010-11-17 14:11 . 2010-11-17 14:11 -------- d-----w- c:\program files\ConduitEngine
2010-11-17 14:11 . 2010-11-17 14:11 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2010-11-14 09:59 . 2010-11-14 09:59 -------- d-----w- c:\documents and settings\AMD\Data aplikací\GanymedeNet
2010-11-14 09:58 . 2010-09-21 15:30 120296 ----a-w- c:\program files\Mozilla Firefox\plugins\npganymedenet.dll
2010-11-14 09:57 . 2010-11-14 09:58 -------- d-----w- c:\program files\Ganymede
2010-11-06 18:57 . 2010-11-06 18:57 -------- d-----w- c:\program files\Governor of Poker
2010-11-06 18:49 . 2010-11-06 18:49 -------- d-----w- c:\program files\bfgclient
2010-11-06 18:43 . 2010-11-06 18:50 -------- d-----w- c:\documents and settings\All Users\Data aplikací\BigFishGamesCache
2010-11-05 14:10 . 2010-11-14 14:56 -------- d-----w- c:\program files\Valve
2010-11-02 19:47 . 2010-11-02 19:47 -------- d-----w- c:\documents and settings\All Users\Data aplikací\hps
2010-11-02 19:25 . 2010-11-02 19:25 -------- d-----w- c:\program files\Fotolab
2010-10-30 11:05 . 2006-06-07 20:43 5050368 ----a-w- c:\windows\system32\Kopie - atioglxx.dll
2010-10-25 18:24 . 2010-10-25 18:24 -------- d-----w- c:\documents and settings\AMD\Data aplikací\PlayFirst
2010-10-25 18:23 . 2010-10-25 18:24 -------- d-----w- c:\documents and settings\All Users\Data aplikací\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

[7] CDFE4411A69C224BD1D11B2DA92DAC51 95360 c:\windows\system32\dllcache\atapi.sys
[7] CDFE4411A69C224BD1D11B2DA92DAC51 95360 \RP857\A1294337.sys
[7] CDFE4411A69C224BD1D11B2DA92DAC51 95360 \RP859\A1300062.sys

[-] !HASH: COULD NOT OPEN FILE !!!!! 95360 c:\windows\system32\drivers\atapi.sys
[7] CDFE4411A69C224BD1D11B2DA92DAC51 95360 \RP857\A1294333.sys
[7] CDFE4411A69C224BD1D11B2DA92DAC51 95360 \RP859\A1300058.sys
.
------- Sigcheck -------

[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-03 20:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{da21bd13-ca22-42e3-a071-98f08f1ca1e7}"= "c:\program files\Peer2Peer-EN\tbPee2.dll" [2010-10-18 3908192]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPag2.dll" [2010-10-18 3908192]
"{ce10bf86-da68-441e-91fa-38336363e3cd}"= "c:\program files\Movier-media\tbMov0.dll" [2010-09-26 2735200]

[HKEY_CLASSES_ROOT\clsid\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{ce10bf86-da68-441e-91fa-38336363e3cd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\PageRage\tbPag2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce10bf86-da68-441e-91fa-38336363e3cd}]
2010-09-26 17:56 2735200 ----a-w- c:\program files\Movier-media\tbMov0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\Peer2Peer-EN\tbPee2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{da21bd13-ca22-42e3-a071-98f08f1ca1e7}"= "c:\program files\Peer2Peer-EN\tbPee2.dll" [2010-10-18 3908192]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPag2.dll" [2010-10-18 3908192]
"{ce10bf86-da68-441e-91fa-38336363e3cd}"= "c:\program files\Movier-media\tbMov0.dll" [2010-09-26 2735200]

[HKEY_CLASSES_ROOT\clsid\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{ce10bf86-da68-441e-91fa-38336363e3cd}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DA21BD13-CA22-42E3-A071-98F08F1CA1E7}"= "c:\program files\Peer2Peer-EN\tbPee2.dll" [2010-10-18 3908192]
"{9565115D-C7D6-46D3-BD63-B67B481A4368}"= "c:\program files\PageRage\tbPag2.dll" [2010-10-18 3908192]
"{CE10BF86-DA68-441E-91FA-38336363E3CD}"= "c:\program files\Movier-media\tbMov0.dll" [2010-09-26 2735200]

[HKEY_CLASSES_ROOT\clsid\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{ce10bf86-da68-441e-91fa-38336363e3cd}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-10-12 949376]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 139264]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" [2009-11-03 3272552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Data aplikací\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic Professional 6\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"Monitor"=c:\windows\PixArt\PAC7311\Monitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\ICQ619_56_29\\ICQ.exe"=
"c:\\Program Files\\ICQ615_08_18\\ICQ.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Graffiti Studio 2.0\\Graffiti Studio.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [17. 8. 2007 8:31 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [17. 8. 2007 8:31 5248]
R0 rttmntr;R-TT Backup Archive Explorer;c:\windows\system32\drivers\rttmntr.sys [19. 11. 2004 15:11 200512]
R0 snaprtt;R-TT Snapshots Manager;c:\windows\system32\drivers\snaprtt.sys [19. 11. 2004 15:11 78624]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30. 6. 2007 11:14 685816]
R1 anf0100.sys;anf0100.sys;c:\windows\system32\drivers\anf0100.sys [8. 12. 2009 14:19 9728]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [12. 10. 2007 19:01 15424]
R2 rttfsfilt;R-TT FS Filter;c:\windows\system32\drivers\rttfsfilt.sys [19. 11. 2004 15:11 27936]
S2 gupdate1ca2e612c1446a;Služba Google Update (gupdate1ca2e612c1446a);c:\program files\Google\Update\GoogleUpdate.exe [5. 9. 2009 20:42 133104]
S3 SE402RefCameraStill;miniSHOT (WDM);c:\windows\system32\drivers\aox402sc.sys [1. 9. 2007 15:02 67332]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-11-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 13:13]

2010-11-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-08 19:09]

2010-11-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1606980848-362288127-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09]

2010-11-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1606980848-362288127-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.sk/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Prevziať pomocou FDM - file://c:\program files\Free Download Manager\dllink.htm
IE: Prevziať video pomocou FDM - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Prevziať vybrané pomocou FDM - file://c:\program files\Free Download Manager\dlselected.htm
IE: Prevziať všetko pomocou FDM - file://c:\program files\Free Download Manager\dlall.htm
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} -
LSP: c:\windows\system32\imon.dll
TCP: {3C14DDFA-0C1A-49B7-B680-3FF8FC9E8231} = 10.1.1.2,192.168.202.1
DPF: {3D54FEE0-CE46-11D4-8288-0050BA6A5ABF} - file://c:\program files\NewSoft\Presto! Mr.Photo 3\CardExpr\iepiev20.cab
DPF: {8B0C8CF4-17F3-42D5-8D62-95F2E8339C26} - hxxp://symantec.softmall.com.tw/ftcdm/ftcdm.cab
FF - ProfilePath - c:\documents and settings\AMD\Data aplikací\Mozilla\Firefox\Profiles\aedj9z2a.default\
FF - prefs.js: browser.startup.homepage - www.google.sk
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\All Users\Data aplikací\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\AMD\Data aplikací\Mozilla\Firefox\Profiles\aedj9z2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\AMD\Data aplikací\Mozilla\Firefox\Profiles\aedj9z2a.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npganymedenet.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 15:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-362288127-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
c:\program files\iolo\Common\Lib\sguard.dll

- - - - - - - > 'lsass.exe'(888)
c:\program files\iolo\Common\Lib\sguard.dll
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll

- - - - - - - > 'explorer.exe'(3680)
c:\program files\iolo\Common\Lib\sguard.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(804)
c:\program files\iolo\Common\Lib\sguard.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-11-18 15:23:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-18 14:23
ComboFix2.txt 2010-11-18 13:50
ComboFix3.txt 2010-11-17 14:09

Pre-Run: Volných bajtů: 26 642 300 928
Post-Run: Volných bajtů: 26 627 440 640

- - End Of File - - E1D8E321D4927F0868B31F5EF500D27D

a tu je ten log zo systemlook

SystemLook 04.09.10 by jpshortstuff
Log created at 15:34 on 18/11/2010 by AMD
Administrator - Elevation successful

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\system32\dllcache\atapi.sys --a--c- 95360 bytes [20:59 03/08/2004] [20:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\drivers\atapi.sys --a---- 95360 bytes [20:59 03/08/2004] [20:59 03/08/2004] (Unable to calculate MD5)

-= EOF =-

instalacní cd windowsu nemám

Stahnete SPTD http://www.duplexsecure.com/en/downloads

• Vyberte z uvedene stranky verzi dle sveho operacniho systemu (32(x86)bit ci 64(x64)bit)
• Ulozte na plochu a spustte
• Zvolte moznost Uninstall a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete Defogger http://www.jpshortstuff.247fixes.com/Defogger.exe

• Ulozte na plochu a spustte
• Kliknete na Disable a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R

• Vyskoci na Vas okenko, do ktereho zkopirujte text nize

• Kód: Vybrat vše

  "%userprofile%\plocha\mbr" -t

• Kliknete na OK
• Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte

Dejte logy z Gmeru - viz muj podpis

log z defogger

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:28 on 19/11/2010 (AMD)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
a347bus -> Disabled (Service running -> reboot required)
a347scsi -> Disabled (Service running -> reboot required)
Unable to read atapi.sys
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-

tu je ten mbr.log

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y120L0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys viaide.sys PCIIDEX.SYS
C:\WINDOWS\system32\drivers\sfsync02.sys Protection Technology StarForce Protection System
1 TUKERNEL!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x8338BAB8]
3 CLASSPNP[0xF883705B] -> TUKERNEL!IofCallDriver[0x804E37C5] -> \Device\00000071[0x833CFF18]
5 ACPI[0xF876D620] -> TUKERNEL!IofCallDriver[0x804E37C5] -> \Device\Ide\IdeDeviceP0T0L0-3[0x83393940]
kernel: MBR read successfully
user & kernel MBR OK

Tak a ted vzhuru na gmer - pokud by se sekal, tak jej aplikujte v nouzovem rezimu (restart PC, mackat F8, zvolit Stav nouze s praci v siti)

1. log z gmeru

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-19 14:40:19
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y120L0 rev.YAR41BW0
Running: gmer.exe; Driver: C:\DOCUME~1\AMD\LOCALS~1\Temp\pgtdrpow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset )

Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp anf0100.sys (ANF Redirector/Netmarketing Pawel Wisniewski)

Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

---- EOF - GMER 1.0.15 ----

No a na druhy si zrejme pockate - muze trvat 30 min ale i 4 hodiny

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-19 14:57:11
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y120L0 rev.YAR41BW0
Running: gmer.exe; Driver: C:\DOCUME~1\AMD\LOCALS~1\Temp\pgtdrpow.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF8AF62E0]
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys Systém nemůže nalézt uvedený soubor. !
? C:\DOCUME~1\AMD\LOCALS~1\Temp\mbr.sys Systém nemůže nalézt uvedený soubor. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[260] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[260] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[304] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[304] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[304] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[304] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[304] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[304] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[304] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[304] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[344] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[344] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[344] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[344] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[344] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[344] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[344] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[344] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe[508] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe[508] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe[508] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe[508] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe[508] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe[508] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe[508] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe[508] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[728] KERNEL32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\csrss.exe[728] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[728] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\csrss.exe[728] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\csrss.exe[728] KERNEL32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\csrss.exe[728] KERNEL32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\csrss.exe[728] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[728] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\winlogon.exe[756] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\winlogon.exe[756] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[756] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[800] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\services.exe[800] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[800] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\services.exe[800] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\services.exe[800] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\services.exe[800] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\services.exe[800] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[800] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\lsass.exe[812] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\lsass.exe[812] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[812] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe[936] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe[936] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe[936] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe[936] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe[936] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe[936] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe[936] advapi32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe[936] advapi32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[968] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[968] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[968] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[968] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[968] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[968] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[968] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[968] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1148] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1148] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1148] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1148] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1148] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1148] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1148] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1148] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1276] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1420] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1420] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1420] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1420] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1420] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1420] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1420] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1420] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1580] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1580] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1580] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1580] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1580] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1580] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1580] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[1580] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1652] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1652] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[1652] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[1652] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[1652] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[1652] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\Explorer.EXE[1652] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1652] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\spoolsv.exe[1760] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1760] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Eset\nod32krn.exe[1800] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Eset\nod32krn.exe[1800] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Eset\nod32krn.exe[1800] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\Eset\nod32krn.exe[1800] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\Eset\nod32krn.exe[1800] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\Program Files\Eset\nod32krn.exe[1800] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\Eset\nod32krn.exe[1800] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\Eset\nod32krn.exe[1800] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\Eset\nod32krn.exe[1800] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Eset\nod32kui.exe[1892] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Eset\nod32kui.exe[1892] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Eset\nod32kui.exe[1892]

kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\Eset\nod32kui.exe[1892] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\Eset\nod32kui.exe[1892] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\Eset\nod32kui.exe[1892] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\Eset\nod32kui.exe[1892] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\Eset\nod32kui.exe[1892] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Multimedia Card Reader\shwicon2k.exe[1900] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Multimedia Card Reader\shwicon2k.exe[1900] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Multimedia Card Reader\shwicon2k.exe[1900] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\Multimedia Card Reader\shwicon2k.exe[1900] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\Multimedia Card Reader\shwicon2k.exe[1900] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\Multimedia Card Reader\shwicon2k.exe[1900] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\Multimedia Card Reader\shwicon2k.exe[1900] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\Multimedia Card Reader\shwicon2k.exe[1900] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\IoctlSvc.exe[2060] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\IoctlSvc.exe[2060] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\IoctlSvc.exe[2060] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\IoctlSvc.exe[2060] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\IoctlSvc.exe[2060] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\IoctlSvc.exe[2060] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\IoctlSvc.exe[2060] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\IoctlSvc.exe[2060] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\IoctlSvc.exe[2060] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\HPZipm12.exe[2088] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\HPZipm12.exe[2088] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\HPZipm12.exe[2088] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\HPZipm12.exe[2088] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\HPZipm12.exe[2088] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\HPZipm12.exe[2088] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\HPZipm12.exe[2088] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\HPZipm12.exe[2088] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\HPZipm12.exe[2088] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\PnkBstrA.exe[2124] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\PnkBstrA.exe[2124] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\PnkBstrA.exe[2124] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\PnkBstrA.exe[2124] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\PnkBstrA.exe[2124] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\PnkBstrA.exe[2124] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\PnkBstrA.exe[2124] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\PnkBstrA.exe[2124] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\PnkBstrA.exe[2124] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2192] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2192] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2192] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2192] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2192] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2192] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2192] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2192] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2192] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[2240] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[2240] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[2240] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[2240] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\svchost.exe[2240] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\svchost.exe[2240] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[2240] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\svchost.exe[2240] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[2240] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2928] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2928] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wscntfy.exe[2928] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\wscntfy.exe[2928] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\wscntfy.exe[2928] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wscntfy.exe[2928] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\wscntfy.exe[2928] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\wscntfy.exe[2928] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2928] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[3008] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[3008] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\alg.exe[3008] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\System32\alg.exe[3008] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\System32\alg.exe[3008] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\alg.exe[3008] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\alg.exe[3008] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\System32\alg.exe[3008] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[3008] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3388] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3388] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3388] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3388] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3388] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\Program Files\WinRAR\WinRAR.exe[3388] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3388] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3388] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3388] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe[3436] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe[3436] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe[3436] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe[3436] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe[3436] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe[3436] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe[3436] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe[3436] advapi32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe[3436] advapi32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe[4056] kernel32.dll!CreateFileA 7C801A24 6 Bytes JMP 5F0D0F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe[4056] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe[4056] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F160F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe[4056] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F130F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe[4056] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe[4056] kernel32.dll!CreateFileW 7C810770 6 Bytes JMP 5F100F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe[4056] kernel32.dll!WinExec 7C86158D 6 Bytes JMP 5F190F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe[4056] ADVAPI32.dll!RegSetValueExA 77DCE927 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe[4056] ADVAPI32.dll!RegSetValueA 77DEC676 6 Bytes JMP 5F0A0F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp anf0100.sys (ANF Redirector/Netmarketing Pawel Wisniewski)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snaprtt.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snaprtt.sys (Acronis Snapshot API/Acronis)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\00000079 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\USBSTOR \Device\0000007a sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0x32 0x7E 0x0A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x37 0x0E 0x6B 0x2B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0x32 0x7E 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x37 0x0E 0x6B 0x2B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0x32 0x7E 0x0A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x37 0x0E 0x6B 0x2B ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Stahnete si tento nahradni soubor http://leteckaposta.cz/803134827 a ulozte jej primo na disk C:\, takze cesta k nemu bude C:\ATAPI.sys

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  Collect::
  C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe
  
  Folder::
  C:\DOCUME~1\AMD\LOCALS~1\Temp
  
  FCopy::
  C:\atapi.sys | c:\windows\system32\drivers\atapi.sys

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

ComboFix 10-11-16.05 - AMD . 11. 2010 15:19:51.17.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1029.18.511.182 [GMT 1:00]
Running from: C:\Documents and Settings\AMD\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\AMD\Plocha\CFScript.txt
AV: Eset NOD32 Antivirus 2.70 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
* Resident AV is active


file zipped: C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe
.
The following files were disabled during the run:
C:\Program Files\iolo\Common\Lib\sguard.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\AMD\LOCALS~1\Temp
C:\DOCUME~1\AMD\LOCALS~1\Temp\boost_interprocess\INI_FILE_MUTEX
C:\DOCUME~1\AMD\LOCALS~1\Temp\etilqs_ebGDqggiwUBLxontswp8
C:\DOCUME~1\AMD\LOCALS~1\Temp\etilqs_oZNGQA1hz2JWObL3F3Sh
C:\DOCUME~1\AMD\LOCALS~1\Temp\eula.txt
C:\DOCUME~1\AMD\LOCALS~1\Temp\google_cache119.tmp
C:\DOCUME~1\AMD\LOCALS~1\Temp\IcqUpdater.exe
C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe
C:\DOCUME~1\AMD\LOCALS~1\Temp\nro.log\log\ShellManager_Log.txt
C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe
C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX03.906\gmer.exe
C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe
C:\Documents and Settings\AMD\JVDAGDJGDJ.exe

.
--------------- FCopy ---------------

C:\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 14:12:52 . 2010-11-19 14:12:52 27600 ------w- C:\ATAPI.SYS
2010-11-17 14:23:49 . 2010-02-12 10:03:03 293376 ------w- C:\WINDOWS\system32\browserchoice.exe
2010-11-17 14:11:57 . 2010-11-17 14:53:11 -------- d-----w- C:\Documents and Settings\AMD\Local Settings\Data aplikací\ConduitEngine
2010-11-17 14:11:55 . 2010-11-17 14:11:56 -------- d-----w- C:\Program Files\ConduitEngine
2010-11-17 14:11:55 . 2010-11-17 14:11:55 0 ----a-w- C:\WINDOWS\system32\ConduitEngine.tmp
2010-11-14 09:59:07 . 2010-11-14 09:59:07 -------- d-----w- C:\Documents and Settings\AMD\Data aplikací\GanymedeNet
2010-11-14 09:58:30 . 2010-09-21 15:30:02 120296 ----a-w- C:\Program Files\Mozilla Firefox\plugins\npganymedenet.dll
2010-11-14 09:57:24 . 2010-11-14 09:58:29 -------- d-----w- C:\Program Files\Ganymede
2010-11-06 18:57:20 . 2010-11-06 18:57:40 -------- d-----w- C:\Program Files\Governor of Poker
2010-11-06 18:49:37 . 2010-11-06 18:49:44 -------- d-----w- C:\Program Files\bfgclient
2010-11-06 18:43:34 . 2010-11-06 18:50:35 -------- d-----w- C:\Documents and Settings\All Users\Data aplikací\BigFishGamesCache
2010-11-05 14:10:39 . 2010-11-14 14:56:30 -------- d-----w- C:\Program Files\Valve
2010-11-02 19:47:24 . 2010-11-02 19:47:24 -------- d-----w- C:\Documents and Settings\All Users\Data aplikací\hps
2010-11-02 19:25:29 . 2010-11-02 19:25:29 -------- d-----w- C:\Program Files\Fotolab
2010-10-30 11:05:02 . 2006-06-07 20:43:38 5050368 ----a-w- C:\WINDOWS\system32\Kopie - atioglxx.dll
2010-10-25 18:24:47 . 2010-10-25 18:24:47 -------- d-----w- C:\Documents and Settings\AMD\Data aplikací\PlayFirst
2010-10-25 18:23:13 . 2010-10-25 18:24:47 -------- d-----w- C:\Documents and Settings\All Users\Data aplikací\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-11-18_13.44.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-18 14:55:19 . 2010-11-18 14:55:19 5120 C:\WINDOWS\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
- 2010-11-17 15:28:59 . 2010-11-17 15:28:59 5120 C:\WINDOWS\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2010-11-18 21:04:27 . 2010-03-15 16:00:02 414208 C:\WINDOWS\system32\WgaTray.exe
+ 2007-04-10 13:02:50 . 2009-06-25 12:20:28 1485176 C:\WINDOWS\system32\LegitCheckControl.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{da21bd13-ca22-42e3-a071-98f08f1ca1e7}"= "C:\Program Files\Peer2Peer-EN\tbPee2.dll" [2010-10-18 10:26:36 3908192]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "C:\Program Files\PageRage\tbPag2.dll" [2010-10-18 10:26:36 3908192]
"{ce10bf86-da68-441e-91fa-38336363e3cd}"= "C:\Program Files\Movier-media\tbMov0.dll" [2010-09-26 17:56:40 2735200]

[HKEY_CLASSES_ROOT\clsid\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{ce10bf86-da68-441e-91fa-38336363e3cd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26:36 3908192 ----a-w- C:\Program Files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-10-18 10:26:36 3908192 ----a-w- C:\Program Files\PageRage\tbPag2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce10bf86-da68-441e-91fa-38336363e3cd}]
2010-09-26 17:56:40 2735200 ----a-w- C:\Program Files\Movier-media\tbMov0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]
2010-10-18 10:26:36 3908192 ----a-w- C:\Program Files\Peer2Peer-EN\tbPee2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{da21bd13-ca22-42e3-a071-98f08f1ca1e7}"= "C:\Program Files\Peer2Peer-EN\tbPee2.dll" [2010-10-18 10:26:36 3908192]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "C:\Program Files\PageRage\tbPag2.dll" [2010-10-18 10:26:36 3908192]
"{ce10bf86-da68-441e-91fa-38336363e3cd}"= "C:\Program Files\Movier-media\tbMov0.dll" [2010-09-26 17:56:40 2735200]

[HKEY_CLASSES_ROOT\clsid\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{ce10bf86-da68-441e-91fa-38336363e3cd}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DA21BD13-CA22-42E3-A071-98F08F1CA1E7}"= "C:\Program Files\Peer2Peer-EN\tbPee2.dll" [2010-10-18 10:26:36 3908192]
"{9565115D-C7D6-46D3-BD63-B67B481A4368}"= "C:\Program Files\PageRage\tbPag2.dll" [2010-10-18 10:26:36 3908192]
"{CE10BF86-DA68-441E-91FA-38336363E3CD}"= "C:\Program Files\Movier-media\tbMov0.dll" [2010-09-26 17:56:40 2735200]

[HKEY_CLASSES_ROOT\clsid\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{ce10bf86-da68-441e-91fa-38336363e3cd}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-12 18:08:48 949376]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 14:01:16 139264]
"NortonOnlineBackupReminder"="C:\Program Files\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" [2009-11-03 19:33:28 3272552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 13:49:24 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\Documents and Settings\All Users\Data aplikací\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf C:\Program Files\iolo\System Mechanic Professional 6\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"Monitor"=C:\WINDOWS\PixArt\PAC7311\Monitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Free Download Manager\\fdm.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\ICQ619_56_29\\ICQ.exe"=
"C:\\Program Files\\ICQ615_08_18\\ICQ.exe"=
"C:\\Program Files\\ICQ6.5\\ICQ.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Graffiti Studio 2.0\\Graffiti Studio.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 rttmntr;R-TT Backup Archive Explorer;C:\WINDOWS\system32\drivers\rttmntr.sys [19. 11. 2004 15:11:57 200512]
R0 snaprtt;R-TT Snapshots Manager;C:\WINDOWS\system32\drivers\snaprtt.sys [19. 11. 2004 15:11:58 78624]
R1 anf0100.sys;anf0100.sys;C:\WINDOWS\system32\drivers\anf0100.sys [8. 12. 2009 14:19:56 9728]
R1 nod32drv;nod32drv;C:\WINDOWS\system32\drivers\nod32drv.sys [12. 10. 2007 19:01:38 15424]
R2 rttfsfilt;R-TT FS Filter;C:\WINDOWS\system32\drivers\rttfsfilt.sys [19. 11. 2004 15:11:56 27936]
S2 gupdate1ca2e612c1446a;Služba Google Update (gupdate1ca2e612c1446a);C:\Program Files\Google\Update\GoogleUpdate.exe [5. 9. 2009 20:42:28 133104]
S3 SE402RefCameraStill;miniSHOT (WDM);C:\WINDOWS\system32\drivers\aox402sc.sys [1. 9. 2007 15:02:59 67332]
S4 a347bus;a347bus;C:\WINDOWS\system32\drivers\a347bus.sys [17. 8. 2007 8:31:07 160640]
S4 a347scsi;a347scsi;C:\WINDOWS\system32\drivers\a347scsi.sys [17. 8. 2007 8:31:07 5248]
S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [30. 6. 2007 11:14:06 685816]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-11-12 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 15:53:42 . 2006-12-30 13:13:57]

2010-11-19 C:\WINDOWS\Tasks\Google Software Updater.job
- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-08 19:09:36 . 2010-01-08 19:09:36]

2010-11-19 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1606980848-362288127-725345543-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09:42 . 2010-02-24 20:09:42]

2010-11-19 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1606980848-362288127-725345543-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09:42 . 2010-02-24 20:09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.sk/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Office Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Prevziať pomocou FDM - file://C:\Program Files\Free Download Manager\dllink.htm
IE: Prevziať video pomocou FDM - file://C:\Program Files\Free Download Manager\dlfvideo.htm
IE: Prevziať vybrané pomocou FDM - file://C:\Program Files\Free Download Manager\dlselected.htm
IE: Prevziať všetko pomocou FDM - file://C:\Program Files\Free Download Manager\dlall.htm
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} -
LSP: C:\WINDOWS\system32\imon.dll
TCP: {3C14DDFA-0C1A-49B7-B680-3FF8FC9E8231} = 10.1.1.2,192.168.202.1
DPF: {3D54FEE0-CE46-11D4-8288-0050BA6A5ABF} - file://C:\Program Files\NewSoft\Presto! Mr.Photo 3\CardExpr\iepiev20.cab
DPF: {8B0C8CF4-17F3-42D5-8D62-95F2E8339C26} - hxxp://symantec.softmall.com.tw/ftcdm/ftcdm.cab
FF - ProfilePath - C:\Documents and Settings\AMD\Data aplikací\Mozilla\Firefox\Profiles\aedj9z2a.default\
FF - prefs.js: browser.startup.homepage - www.google.sk
FF - prefs.js: network.proxy.type - 4
FF - component: C:\Documents and Settings\All Users\Data aplikací\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\Documents and Settings\AMD\Data aplikací\Mozilla\Firefox\Profiles\aedj9z2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Documents and Settings\AMD\Data aplikací\Mozilla\Firefox\Profiles\aedj9z2a.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\FFExternalAlert.dll
FF - plugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: C:\Program Files\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npganymedenet.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npkimi.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 15:29:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\RGI43.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-362288127-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
C:\WINDOWS\system32\Ati2evxx.dll
C:\Program Files\iolo\Common\Lib\sguard.dll

- - - - - - - > 'lsass.exe'(824)
C:\Program Files\iolo\Common\Lib\sguard.dll
C:\WINDOWS\system32\imon.dll
C:\Program Files\Eset\pr_imon.dll

- - - - - - - > 'csrss.exe'(728)
C:\Program Files\iolo\Common\Lib\sguard.dll
.
Completion time: 2010-11-19 15:33:40
ComboFix-quarantined-files.txt 2010-11-19 14:33:36
ComboFix2.txt 2010-11-18 14:23:25
ComboFix3.txt 2010-11-18 13:50:55
ComboFix4.txt 2010-11-17 14:09:33

Pre-Run: Volných bajtů: 26 712 678 400
Post-Run: Volných bajtů: 26 695 491 584

- - End Of File - - ABC000D9C831EA876B5258FA9DDC7E64

ComboFix 10-11-16.05 - AMD . 11. 2010 15:19:51.17.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1029.18.511.182 [GMT 1:00]
Running from: C:\Documents and Settings\AMD\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\AMD\Plocha\CFScript.txt
AV: Eset NOD32 Antivirus 2.70 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
* Resident AV is active


file zipped: C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe
.
The following files were disabled during the run:
C:\Program Files\iolo\Common\Lib\sguard.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\AMD\LOCALS~1\Temp
C:\DOCUME~1\AMD\LOCALS~1\Temp\boost_interprocess\INI_FILE_MUTEX
C:\DOCUME~1\AMD\LOCALS~1\Temp\etilqs_ebGDqggiwUBLxontswp8
C:\DOCUME~1\AMD\LOCALS~1\Temp\etilqs_oZNGQA1hz2JWObL3F3Sh
C:\DOCUME~1\AMD\LOCALS~1\Temp\eula.txt
C:\DOCUME~1\AMD\LOCALS~1\Temp\google_cache119.tmp
C:\DOCUME~1\AMD\LOCALS~1\Temp\IcqUpdater.exe
C:\DOCUME~1\AMD\LOCALS~1\Temp\lsass.exe
C:\DOCUME~1\AMD\LOCALS~1\Temp\nro.log\log\ShellManager_Log.txt
C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX00.593\gmer.exe
C:\DOCUME~1\AMD\LOCALS~1\Temp\Rar$EX03.906\gmer.exe
C:\DOCUME~1\AMD\LOCALS~1\Temp\vv2.exe
C:\Documents and Settings\AMD\JVDAGDJGDJ.exe

.
--------------- FCopy ---------------

C:\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 14:12:52 . 2010-11-19 14:12:52 27600 ------w- C:\ATAPI.SYS
2010-11-17 14:23:49 . 2010-02-12 10:03:03 293376 ------w- C:\WINDOWS\system32\browserchoice.exe
2010-11-17 14:11:57 . 2010-11-17 14:53:11 -------- d-----w- C:\Documents and Settings\AMD\Local Settings\Data aplikací\ConduitEngine
2010-11-17 14:11:55 . 2010-11-17 14:11:56 -------- d-----w- C:\Program Files\ConduitEngine
2010-11-17 14:11:55 . 2010-11-17 14:11:55 0 ----a-w- C:\WINDOWS\system32\ConduitEngine.tmp
2010-11-14 09:59:07 . 2010-11-14 09:59:07 -------- d-----w- C:\Documents and Settings\AMD\Data aplikací\GanymedeNet
2010-11-14 09:58:30 . 2010-09-21 15:30:02 120296 ----a-w- C:\Program Files\Mozilla Firefox\plugins\npganymedenet.dll
2010-11-14 09:57:24 . 2010-11-14 09:58:29 -------- d-----w- C:\Program Files\Ganymede
2010-11-06 18:57:20 . 2010-11-06 18:57:40 -------- d-----w- C:\Program Files\Governor of Poker
2010-11-06 18:49:37 . 2010-11-06 18:49:44 -------- d-----w- C:\Program Files\bfgclient
2010-11-06 18:43:34 . 2010-11-06 18:50:35 -------- d-----w- C:\Documents and Settings\All Users\Data aplikací\BigFishGamesCache
2010-11-05 14:10:39 . 2010-11-14 14:56:30 -------- d-----w- C:\Program Files\Valve
2010-11-02 19:47:24 . 2010-11-02 19:47:24 -------- d-----w- C:\Documents and Settings\All Users\Data aplikací\hps
2010-11-02 19:25:29 . 2010-11-02 19:25:29 -------- d-----w- C:\Program Files\Fotolab
2010-10-30 11:05:02 . 2006-06-07 20:43:38 5050368 ----a-w- C:\WINDOWS\system32\Kopie - atioglxx.dll
2010-10-25 18:24:47 . 2010-10-25 18:24:47 -------- d-----w- C:\Documents and Settings\AMD\Data aplikací\PlayFirst
2010-10-25 18:23:13 . 2010-10-25 18:24:47 -------- d-----w- C:\Documents and Settings\All Users\Data aplikací\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-11-18_13.44.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-18 14:55:19 . 2010-11-18 14:55:19 5120 C:\WINDOWS\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
- 2010-11-17 15:28:59 . 2010-11-17 15:28:59 5120 C:\WINDOWS\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2010-11-18 21:04:27 . 2010-03-15 16:00:02 414208 C:\WINDOWS\system32\WgaTray.exe
+ 2007-04-10 13:02:50 . 2009-06-25 12:20:28 1485176 C:\WINDOWS\system32\LegitCheckControl.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{da21bd13-ca22-42e3-a071-98f08f1ca1e7}"= "C:\Program Files\Peer2Peer-EN\tbPee2.dll" [2010-10-18 10:26:36 3908192]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "C:\Program Files\PageRage\tbPag2.dll" [2010-10-18 10:26:36 3908192]
"{ce10bf86-da68-441e-91fa-38336363e3cd}"= "C:\Program Files\Movier-media\tbMov0.dll" [2010-09-26 17:56:40 2735200]

[HKEY_CLASSES_ROOT\clsid\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{ce10bf86-da68-441e-91fa-38336363e3cd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26:36 3908192 ----a-w- C:\Program Files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-10-18 10:26:36 3908192 ----a-w- C:\Program Files\PageRage\tbPag2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce10bf86-da68-441e-91fa-38336363e3cd}]
2010-09-26 17:56:40 2735200 ----a-w- C:\Program Files\Movier-media\tbMov0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]
2010-10-18 10:26:36 3908192 ----a-w- C:\Program Files\Peer2Peer-EN\tbPee2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{da21bd13-ca22-42e3-a071-98f08f1ca1e7}"= "C:\Program Files\Peer2Peer-EN\tbPee2.dll" [2010-10-18 10:26:36 3908192]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "C:\Program Files\PageRage\tbPag2.dll" [2010-10-18 10:26:36 3908192]
"{ce10bf86-da68-441e-91fa-38336363e3cd}"= "C:\Program Files\Movier-media\tbMov0.dll" [2010-09-26 17:56:40 2735200]

[HKEY_CLASSES_ROOT\clsid\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{ce10bf86-da68-441e-91fa-38336363e3cd}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DA21BD13-CA22-42E3-A071-98F08F1CA1E7}"= "C:\Program Files\Peer2Peer-EN\tbPee2.dll" [2010-10-18 10:26:36 3908192]
"{9565115D-C7D6-46D3-BD63-B67B481A4368}"= "C:\Program Files\PageRage\tbPag2.dll" [2010-10-18 10:26:36 3908192]
"{CE10BF86-DA68-441E-91FA-38336363E3CD}"= "C:\Program Files\Movier-media\tbMov0.dll" [2010-09-26 17:56:40 2735200]

[HKEY_CLASSES_ROOT\clsid\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{ce10bf86-da68-441e-91fa-38336363e3cd}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-12 18:08:48 949376]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 14:01:16 139264]
"NortonOnlineBackupReminder"="C:\Program Files\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" [2009-11-03 19:33:28 3272552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 13:49:24 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\Documents and Settings\All Users\Data aplikací\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf C:\Program Files\iolo\System Mechanic Professional 6\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"Monitor"=C:\WINDOWS\PixArt\PAC7311\Monitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Free Download Manager\\fdm.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\ICQ619_56_29\\ICQ.exe"=
"C:\\Program Files\\ICQ615_08_18\\ICQ.exe"=
"C:\\Program Files\\ICQ6.5\\ICQ.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Graffiti Studio 2.0\\Graffiti Studio.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 rttmntr;R-TT Backup Archive Explorer;C:\WINDOWS\system32\drivers\rttmntr.sys [19. 11. 2004 15:11:57 200512]
R0 snaprtt;R-TT Snapshots Manager;C:\WINDOWS\system32\drivers\snaprtt.sys [19. 11. 2004 15:11:58 78624]
R1 anf0100.sys;anf0100.sys;C:\WINDOWS\system32\drivers\anf0100.sys [8. 12. 2009 14:19:56 9728]
R1 nod32drv;nod32drv;C:\WINDOWS\system32\drivers\nod32drv.sys [12. 10. 2007 19:01:38 15424]
R2 rttfsfilt;R-TT FS Filter;C:\WINDOWS\system32\drivers\rttfsfilt.sys [19. 11. 2004 15:11:56 27936]
S2 gupdate1ca2e612c1446a;Služba Google Update (gupdate1ca2e612c1446a);C:\Program Files\Google\Update\GoogleUpdate.exe [5. 9. 2009 20:42:28 133104]
S3 SE402RefCameraStill;miniSHOT (WDM);C:\WINDOWS\system32\drivers\aox402sc.sys [1. 9. 2007 15:02:59 67332]
S4 a347bus;a347bus;C:\WINDOWS\system32\drivers\a347bus.sys [17. 8. 2007 8:31:07 160640]
S4 a347scsi;a347scsi;C:\WINDOWS\system32\drivers\a347scsi.sys [17. 8. 2007 8:31:07 5248]
S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [30. 6. 2007 11:14:06 685816]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-11-12 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 15:53:42 . 2006-12-30 13:13:57]

2010-11-19 C:\WINDOWS\Tasks\Google Software Updater.job
- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-08 19:09:36 . 2010-01-08 19:09:36]

2010-11-19 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1606980848-362288127-725345543-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09:42 . 2010-02-24 20:09:42]

2010-11-19 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1606980848-362288127-725345543-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09:42 . 2010-02-24 20:09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.sk/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Office Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Prevziať pomocou FDM - file://C:\Program Files\Free Download Manager\dllink.htm
IE: Prevziať video pomocou FDM - file://C:\Program Files\Free Download Manager\dlfvideo.htm
IE: Prevziať vybrané pomocou FDM - file://C:\Program Files\Free Download Manager\dlselected.htm
IE: Prevziať všetko pomocou FDM - file://C:\Program Files\Free Download Manager\dlall.htm
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} -
LSP: C:\WINDOWS\system32\imon.dll
TCP: {3C14DDFA-0C1A-49B7-B680-3FF8FC9E8231} = 10.1.1.2,192.168.202.1
DPF: {3D54FEE0-CE46-11D4-8288-0050BA6A5ABF} - file://C:\Program Files\NewSoft\Presto! Mr.Photo 3\CardExpr\iepiev20.cab
DPF: {8B0C8CF4-17F3-42D5-8D62-95F2E8339C26} - hxxp://symantec.softmall.com.tw/ftcdm/ftcdm.cab
FF - ProfilePath - C:\Documents and Settings\AMD\Data aplikací\Mozilla\Firefox\Profiles\aedj9z2a.default\
FF - prefs.js: browser.startup.homepage - http://www.google.sk
FF - prefs.js: network.proxy.type - 4
FF - component: C:\Documents and Settings\All Users\Data aplikací\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\Documents and Settings\AMD\Data aplikací\Mozilla\Firefox\Profiles\aedj9z2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Documents and Settings\AMD\Data aplikací\Mozilla\Firefox\Profiles\aedj9z2a.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\FFExternalAlert.dll
FF - plugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: C:\Program Files\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npganymedenet.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npkimi.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 15:29:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\RGI43.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-362288127-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
C:\WINDOWS\system32\Ati2evxx.dll
C:\Program Files\iolo\Common\Lib\sguard.dll

- - - - - - - > 'lsass.exe'(824)
C:\Program Files\iolo\Common\Lib\sguard.dll
C:\WINDOWS\system32\imon.dll
C:\Program Files\Eset\pr_imon.dll

- - - - - - - > 'csrss.exe'(728)
C:\Program Files\iolo\Common\Lib\sguard.dll
.
Completion time: 2010-11-19 15:33:40
ComboFix-quarantined-files.txt 2010-11-19 14:33:36
ComboFix2.txt 2010-11-18 14:23:25
ComboFix3.txt 2010-11-18 13:50:55
ComboFix4.txt 2010-11-17 14:09:33

Pre-Run: Volných bajtů: 26 712 678 400
Post-Run: Volných bajtů: 26 695 491 584

- - End Of File - - ABC000D9C831EA876B5258FA9DDC7E64