Avast mi nasel win32/malware gen a nemuzu se ho zbavit

[Gimplak]

tak uz to konecne doskenovalo

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-14 21:03:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Kroutil\LOCALS~1\Temp\kgqirfob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEB3766B8]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0xEB28B868]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEB376574]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0xEB28AE90]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0xEB28AD9C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateThread [0xEB28B3FC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0xEB28C210]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteKey [0xEB288786]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEB376A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEB37614C]
SSDT spxe.sys ZwEnumerateKey [0xF73FCCA2]
SSDT spxe.sys ZwEnumerateValueKey [0xF73FD030]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0xEB28BB54]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEB37664E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEB37608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEB3760F0]
SSDT spxe.sys ZwQueryKey [0xF73FD108]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEB37676E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEB37672E]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0xEB28B4EC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0xEB28BE8C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEB3768AE]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0xEB28BDE0]

INT 0x62 ? 86FDABF8
INT 0x73 ? 86FDABF8
INT 0x82 ? 86FDABF8
INT 0x83 ? 86FDABF8
INT 0xB4 ? 86D09BF8

---- Kernel code sections - GMER 1.0.15 ----

? spxe.sys Systém nemůže nalézt uvedený soubor. !
? Combo-Fix.sys Systém nemůže nalézt uvedený soubor. !
.text USBPORT.SYS!DllUnload F5D908AC 5 Bytes JMP 86D091D8
.text a73vdawr.SYS F551E384 1 Byte [20]
.text a73vdawr.SYS F551E384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text a73vdawr.SYS F551E3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text a73vdawr.SYS F551E3C4 3 Bytes [00, 00, 00]
.text a73vdawr.SYS F551E3C9 1 Byte [00]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73E0040] spxe.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73E013C] spxe.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73E00BE] spxe.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73E07FC] spxe.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73E06D2] spxe.sys
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\a73vdawr.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1068] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[1068] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86FD91F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\NetBT \Device\NetBT_Tcpip_{06DCD98A-7371-43AE-B74C-483E0090BE6E} 85CFC1F8
Device \Driver\usbohci \Device\USBPDO-0 86DE11F8
Device \Driver\usbehci \Device\USBPDO-1 86D021F8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)

Device \Driver\prodrv06 \Device\ProDrv06 E1EE4828
Device \Driver\PCI_PNP5444 \Device\00000057 spxe.sys
Device \Driver\PCI_PNP5444 \Device\00000057 spxe.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FDB1F8
Device \Driver\Cdrom \Device\CdRom0 86DB81F8
Device \Driver\Cdrom \Device\CdRom1 86DB81F8
Device \Driver\sptd \Device\3009316694 spxe.sys
Device \Driver\prohlp02 \Device\ProHlp02 E163BF80
Device \Driver\nvata \Device\00000077 86FDA1F8
Device \Driver\nvata \Device\00000077 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\NetBT \Device\NetBt_Wins_Export 85CFC1F8
Device \Driver\NetBT \Device\NetbiosSmb 85CFC1F8
Device \Driver\nvata \Device\00000079 86FDA1F8
Device \Driver\nvata \Device\00000079 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 86DE11F8
Device \Driver\usbehci \Device\USBFDO-1 86D021F8
Device \Driver\nvata \Device\NvAta0 86FDA1F8
Device \Driver\nvata \Device\NvAta0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85A7A1F8
Device \Driver\nvata \Device\NvAta1 86FDA1F8
Device \Driver\nvata \Device\NvAta1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85A7A1F8
Device \Driver\nvata \Device\NvAta2 86FDA1F8
Device \Driver\nvata \Device\NvAta2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Ftdisk \Device\FtControl 86FDB1F8
Device \Driver\a73vdawr \Device\Scsi\a73vdawr1 86DA1368
Device \Driver\a73vdawr \Device\Scsi\a73vdawr1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\a73vdawr \Device\Scsi\a73vdawr1Port3Path0Target0Lun0 86DA1368
Device \Driver\a73vdawr \Device\Scsi\a73vdawr1Port3Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Cdfs \Cdfs 86C0D500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 195711234
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -576347737
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x28 0x86 0x55 0x1F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7C 0x48 0x94 0xC2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x03 0x4E 0x14 0x1A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x28 0x86 0x55 0x1F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7C 0x48 0x94 0xC2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8A 0xF4 0x43 0x18 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x28 0x86 0x55 0x1F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7C 0x48 0x94 0xC2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x03 0x4E 0x14 0x1A ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

[Gimplak]

a tady je teda ten ComboFix


ComboFix 09-10-12.03 - Kroutil 14.10.2009 21:08.7.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.574 [GMT 2:00]
Spuštěný z: c:\documents and settings\Kroutil\Dokumenty\Stažené soubory\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Kroutil\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 091013-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\TEMP\ru394lbb.TMP"
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-09-14 do 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-13 19:08 . 2008-10-31 05:09 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2009-10-13 19:08 . 2008-06-21 02:54 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2009-10-13 17:20 . 2009-10-13 17:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-21 19:29 . 2009-09-21 19:31 -------- d-----w- c:\program files\The KMPlayer

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 20:04 . 2006-11-20 14:45 -------- d-----w- c:\program files\Realtek AC97
2009-09-22 13:07 . 2008-11-27 21:20 -------- d-----w- c:\program files\Metin2_TESTER
2009-09-11 07:16 . 2008-12-30 17:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-02 17:14 . 2006-12-31 17:30 -------- d-----w- c:\program files\EA GAMES
2009-09-02 12:51 . 2009-01-11 19:28 -------- d-----w- c:\program files\SweetIM
2009-08-24 10:17 . 2006-03-02 12:00 83652 ----a-w- c:\windows\system32\perfc005.dat
2009-08-24 10:17 . 2006-03-02 12:00 440316 ----a-w- c:\windows\system32\perfh005.dat
2009-08-24 10:12 . 2009-08-24 10:12 -------- d-----w- c:\program files\MSBuild
2009-08-24 10:12 . 2009-08-24 10:12 -------- d-----w- c:\program files\Reference Assemblies
2009-08-17 16:10 . 2006-12-05 10:22 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2006-12-05 10:22 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2006-12-05 10:22 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-04-27 16:03 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-04-27 16:03 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2006-12-05 10:22 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2006-12-05 10:22 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2006-12-05 10:22 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2006-12-05 10:22 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-08-05 09:01 . 2006-03-02 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 03:23 . 2009-01-01 02:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:04 . 2006-03-02 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2007-01-22 13:40 . 2007-01-22 13:40 123392 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-13_19.56.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-14 19:14 . 2009-10-14 19:14 16384 c:\windows\Temp\Perflib_Perfdata_d4.dat
+ 2009-10-14 17:21 . 2009-10-14 17:21 16384 c:\windows\Temp\Perflib_Perfdata_748.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2009-05-20 12:36 1258808 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-05-20 1258808]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-05-20 1258808]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-02-13 486856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-11 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-22 157696]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 68640]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-07 267064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-02-16 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-13 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-03-30 75048]
"ioCentre"="c:\genius\ioCentre\gTaskBar.exe" [2007-04-13 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-08-26 111928]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-11-11 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Kroutil\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Metin2_TESTER\\metin2.bin"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Documents and Settings\\Kroutil\\Plocha\\HRY\\World of Warcraft\\Launcher.exe"=
"c:\\Documents and Settings\\Kroutil\\Plocha\\HRY\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Documents and Settings\\Kroutil\\Plocha\\HRY\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enGB-downloader.exe"=
"c:\\Documents and Settings\\Kroutil\\Plocha\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [5.7.2006 14:46 63352]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [27.4.2008 18:03 114768]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [20.11.2006 16:41 13696]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [13.10.2009 21:08 270888]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/04/26 14:01];c:\program files\CyberLink\PowerDVD9\000.fcl [30.3.2009 17:53 87536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27.4.2008 18:03 20560]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [23.6.2008 18:49 222456]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [13.10.2009 21:08 65576]
S2 gupdate1c9dd6e1995a577;Služba Google Update (gupdate1c9dd6e1995a577);c:\program files\Google\Update\GoogleUpdate.exe [25.5.2009 21:22 133104]
S2 SbPF.Launcher;SbPF.Launcher;"c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe" --> c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [?]
S3 gHidPnp;USB Device Enhanced Function Driver;c:\windows\system32\drivers\gHidPnp.sys [8.7.2009 18:41 16384]
S3 gMouPS2;PS2 Scroll Mouse Device;c:\windows\system32\drivers\gMouPS2.sys [8.7.2009 18:41 17408]
S3 gMouUsb;USB Mouse Device Drv;c:\windows\system32\drivers\gMouUsb.sys [8.7.2009 18:41 9856]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys [7.9.2005 16:42 57648]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys [7.9.2005 16:42 8336]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys [7.9.2005 16:43 93488]
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;c:\windows\system32\drivers\z520mgmt.sys [7.9.2005 16:43 84928]
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\z520obex.sys [7.9.2005 16:43 82864]
.
Obsah adresáře 'Naplánované úlohy'

2009-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]

2009-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 19:21]

2009-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 19:21]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
mStart Page = hxxp://home.sweetim.com
uInternet Settings,ProxyOverride = local
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: &Search - ?p=ZJfox000
IE: Crawler Search - tbr:iemenu
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint - Náhled - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint - Přidat na seznam k tisku - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint - Tisk - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Easy-WebPrint - Vysokorychlostní tisk - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: {{230D1201-7607-4CF6-A11F-9E4BF0A333E0} - {0DB13731-CEFD-43CF-A8FD-B61DCBC4D5B8} - c:\program files\Eurotran XP\etnxp.dll
IE: {{2C73F784-D2DE-4422-B070-2E3332FE5744} - {0320AC26-52C8-4316-B2C4-24BB6FA73C9A} - c:\program files\Eurotran XP\etnxp.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\documents and settings\Kroutil\Data aplikací\Mozilla\Firefox\Profiles\c83i06wy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=PTV&o=15184&locale=en_US&q=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPBerSMB.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 21:14
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1993962763-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:f2,7b,a4,b6,d2,c3,95,03,02,fa,f8,09,df,a2,cd,99,63,f1,a7,a2,c5,
a9,13,c1,e8,98,67,22,74,22,a8,25,fe,11,4e,01,e5,9c,11,d7,b3,72,b3,b4,72,67,\
"rkeysecu"=hex:9c,4b,ab,f1,dc,13,f6,67,b9,05,cd,1c,29,46,8e,89
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3720)
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\OpenOffice.org 2.2\program\soffice.exe
c:\genius\ioCentre\gMouseTask.exe
c:\genius\ioCentre\gKbdTask.exe
c:\program files\OpenOffice.org 2.2\program\soffice.bin
c:\genius\ioCentre\gDeskMgm.exe
c:\genius\ioCentre\gTaskSwitch.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Celkový čas: 2009-10-14 21:21 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-10-14 19:21
ComboFix2.txt 2009-10-14 13:04
ComboFix3.txt 2009-10-13 20:12
ComboFix4.txt 2009-10-13 19:58

Před spuštěním: Volných bajtů: 20 514 312 192
Po spuštění: Volných bajtů: 20 474 494 976

245 --- E O F --- 2009-10-13 20:33

[earl]

Ok,

jak se chova pc?

[Gimplak]

Pc trochu zabrzdeny a porad bezej ty procesy

[earl]

Jak se ty procesy nazyvaji?

[Gimplak]

vsechny maj zakonceni .exe a neco sou programy co mam normalne v pocitaci a u nejakejch nvm co sou

[earl]

Pokracovat budeme zitra-jdu do prace.

[Gimplak]

ok

[earl]

Start - spustit - napiste combofix /u - a klepnout na OK



Pouzijte T-Cleaner na vycisteni pc po docasnych souborech pri odvirovani.Postupujte dle instrukci na obrazovce.Pri detekci antivirem se jedna o falesny poplach.

Vycistete pc Ccleanerem.Vzdy nejprve Analyzovat a pak Spustit Cleaner.2x po sobe.
Windows-odskrtnout historii a historii automatickeho vyplnovani formularu - prisel byste o historii navstivenych stranek a o ulozena hesla ve formularich(je to sice z pohledu zabezpeceni spatne,ale aspon pak uzivatel nenadava,kam ze mu to zmizelo )
Aplikace-u prohlizecu internetu odskrtnout Historii internetu.
Registry-nechat vse zaskrtle,Hledej problemy,Opravit vybrane problemy(nechat ho udelat zalohu-ta je ulozena v Dokumentech).Taktez 2x-3x po sobe.

Pouzijte MBAM -instalace,uplny sken,vlozit sem log-NIC NEMAZAT!

Stahnete a pouzijte utilitu Autoruns v mem podpisu.

Po prvnim spusteni po dokonceni nabehu zaklepnete fajfku na zalozce Options u polozky Hide Microsoft Entries

a zavrete a spustte znovu.

Pote zkontrolujte vsechny polozky,spoustejici se po startu,popr. omezte pocet.

Pak popiste stav.

[Gimplak]

Ja dneska jedu pryc a k PC se dostanu tak v nedeli navecer takze ten log a stav PC napisu pak protoze ted uz bych to nestih

[earl]

Ok.

[Gimplak]

tady ten log

Malwarebytes' Anti-Malware 1.41
Verze databáze: 2971
Windows 5.1.2600 Service Pack 3

18.10.2009 18:29:55
mbam-log-2009-10-18 (18-29-55).txt

Typ kontroly: Kompletní kontrola (C:\|)
Zkontrolované objekty: 214873
Uplynulý čas: 1 hour(s), 7 minute(s), 50 second(s)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 3
Infikované hodnoty registru: 0
Infikované datové položky registru: 1
Infikované adresáře: 0
Infikované soubory: 10

Infikované procesy v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované moduly v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované klíče registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Trojan.BHO) -> Quarantined and deleted successfully.

Infikované hodnoty registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované datové položky registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infikované adresáře:
(Nebyly nalezeny žádné škodlivé položky)

Infikované soubory:
C:\Program Files\EA GAMES\Need for Speed Underground 2\rld-nu2k.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtaim.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtforum.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtgtal.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmticq.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtsmt.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfxzmtymsg.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sfxzmtforum.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sfxzmtsmt.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\ICQToolbar\toolbaru.dll (Trojan.BHO) -> Quarantined and deleted successfully.

[earl]

Ok,jak vypada ten Autoruns?

[Gimplak]

No ted na to koukam ale nejak sem nepochopil co mam udelat po tom zaskrtnuti

[earl]

Jde o to,ze rada uzivatelu ma napr. ve slozce Po spusteni radu programu,ktere se spousti po startu Windows.

Takze nejprve jdete do slozky C:\Documents and Settings\jmeno_uzivatele\Nabidka Start\Programy\Po spusteni a zde odstrante nepotrebne programy.

Pote otevrete utilitu Autoruns a zkontrolujte znovu,co vse se spousti po startu a pomalu,po jedne,dvou polozkach zkuste pocet omezit.

Dejte pozor,at nezakazete neco,co potrebujete.