prosím o kontrolu logu

[martinv1]

tak tady to je


DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Administrator at 8:58:06,25 on po 15.02.2010
Internet Explorer: 6.0.2900.2180
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1033.18.503.379 [GMT 1:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Eset NOD32 Antivirus 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Administrator.ADMIN-7168B3EE9\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.134\coIEPlg.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart board software\NotebookPlugin.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.134\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.134\coIEPlg.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [MFFSum_Pro_LL2] "c:\program files\xerox companion suite\MFFSUM.exe"
mRun: [MFPrintServer_Pro_LL2] "c:\program files\xerox companion suite\MFPrintServer.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NSLauncher] c:\program files\nokia\nokia software launcher\NSLauncher.exe /startup
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nstroj~1.lnk - c:\program files\smart board software\SMARTBoardTools.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.134\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.XMLHttpRequest.channel", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("security.checkloaduri", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("bidi.characterset", 1);
c:\program files\mozilla firefox\defaults\pref\channel-prefs.js - pref("app.update.channel", "release");
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-9-9 310320]
S0 01200172;01200172 Boot Guard Driver;c:\windows\system32\drivers\01200172.sys --> c:\windows\system32\drivers\01200172.sys [?]
S1 01200171;01200171;c:\windows\system32\drivers\01200171.sys --> c:\windows\system32\drivers\01200171.sys [?]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100106.001\IDSXpx86.sys [2010-1-9 329592]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-10-30 15424]
S1 setup_9.0.0.722_12.02.2010_09-26drv;setup_9.0.0.722_12.02.2010_09-26drv;c:\windows\system32\drivers\0120017.sys --> c:\windows\system32\drivers\0120017.sys [?]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\documents and settings\all users\application data\spyware terminator\sp_rsdrv2.sys [2010-2-11 131712]
S2 FUSServices;Session Launcher Service;c:\windows\system32\FUSServices.exe [2008-5-23 10752]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-9-9 117640]
S2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-10-30 552064]
S3 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.086\BHDrvx86.sys [2009-4-26 258608]
S3 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.086\cchpx86.sys [2009-4-26 482352]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100109.006\NAVENG.SYS [2010-1-10 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100109.006\NAVEX15.SYS [2010-1-10 1323568]
S3 PSched;QoS Packet Scheduler;c:\windows\system32\drivers\psched.sys [2004-8-10 69120]
S3 XMLDIUSB;XML USB Device Interface;c:\windows\system32\drivers\XMLDIUSB.sys [2008-12-4 33152]

=============== Created Last 30 ================

2010-02-12 07:17:21 0 d-----w- c:\windows\LastGood.Tmp
2010-02-11 11:27:34 98816 ----a-w- c:\windows\sed.exe
2010-02-11 11:27:34 77312 ----a-w- c:\windows\MBR.exe
2010-02-11 11:27:34 261632 ----a-w- c:\windows\PEV.exe
2010-02-11 11:27:34 161792 ----a-w- c:\windows\SWREG.exe
2010-02-11 09:51:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2010-02-11 09:51:13 0 d-----w- c:\program files\Spyware Terminator

==================== Find3M ====================

2010-01-07 15:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 8:58:56,89 ===============

[Caroprd111]

Pokud nemáte, přesuňte Combofix na plochu
- otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.

Kód: Vybrat vše

Driver::
setup_9.0.0.722_12.02.2010_09-26drv
01200171
01200172

File::
c:\windows\system32\drivers\0120017.sys 
c:\windows\system32\drivers\01200172.sys 
c:\windows\system32\drivers\01200171.sys 

- uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
- po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:


- po aplikaci na Vás vypadne další log,vložte ho sem

Může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

[martinv1]

ComboFix 10-02-10.04 - Administrator 15.02.2010 15:30:29.2.1 - x86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1033.18.503.370 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator.ADMIN-7168B3EE9\Desktop\pokus.com.exe
Použité ovládací přepínače :: c:\documents and settings\Administrator.ADMIN-7168B3EE9\Desktop\CFScript.txt
AV: Eset NOD32 Antivirus 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

FILE ::
"c:\windows\system32\drivers\0120017.sys"
"c:\windows\system32\drivers\01200171.sys"
"c:\windows\system32\drivers\01200172.sys"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_01200171
-------\Legacy_01200172
-------\Legacy_SETUP_9.0.0.722_12.02.2010_09-26DRV
-------\Service_01200171
-------\Service_01200172
-------\Service_setup_9.0.0.722_12.02.2010_09-26drv


((((((((((((((((((((((((( Soubory vytvořené od 2010-01-15 do 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-12 07:17 . 2010-02-12 16:47 -------- d-----w- c:\windows\LastGood.Tmp
2010-02-11 11:54 . 2010-02-11 11:54 -------- d-----w- C:\rsit
2010-02-11 09:51 . 2010-02-11 09:51 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2010-02-11 09:51 . 2010-02-11 09:51 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2010-02-11 09:51 . 2010-02-11 09:51 131712 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdrv2.sys
2010-02-11 09:51 . 2010-02-11 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2010-02-11 09:51 . 2010-02-11 09:53 -------- d-----w- c:\program files\Spyware Terminator

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-07 15:07 . 2008-09-22 07:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2008-09-22 07:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-10 09:00 . 2010-01-10 06:27 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100109.006\CCERASER.DLL
.

((((((((((((((((((((((((((((( SnapShot@2010-02-11_11.38.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-12 16:47 . 2009-10-22 11:54 37392 c:\windows\LastGood.Tmp\system32\DRIVERS\01200172.sys
+ 2010-02-12 16:47 . 2009-09-25 15:59 128016 c:\windows\LastGood.Tmp\system32\DRIVERS\01200171.sys
+ 2010-02-12 16:47 . 2009-10-09 21:31 315408 c:\windows\LastGood.Tmp\system32\DRIVERS\0120017.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"MFFSum_Pro_LL2"="c:\program files\Xerox Companion Suite\MFFSUM.exe" [2008-05-23 24576]
"MFPrintServer_Pro_LL2"="c:\program files\Xerox Companion Suite\MFPrintServer.exe" [2008-05-23 73728]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-11-13 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-11-13 46368]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 3096576]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-10-30 949376]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
N stroje SMART Board.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2006-5-10 3248128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0305020.00B\SymEFA.sys [9.9.2009 13:34 310320]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100106.001\IDSXpx86.sys [9.1.2010 8:57 329592]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [30.10.2009 10:19 15424]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdrv2.sys [11.2.2010 10:51 131712]
S2 FUSServices;Session Launcher Service;c:\windows\system32\FUSServices.exe [23.5.2008 6:13 10752]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [9.9.2009 13:33 117640]
S3 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.086\BHDrvx86.sys [26.4.2009 21:54 258608]
S3 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.086\cchpx86.sys [26.4.2009 21:54 482352]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26.8.2009 9:00 102448]
S3 XMLDIUSB;XML USB Device Interface;c:\windows\system32\drivers\XMLDIUSB.sys [4.12.2008 11:19 33152]
.
.
------- Doplňkový sken -------
.
LSP: c:\windows\system32\imon.dll
FF - ProfilePath -

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 15:42
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(232)
c:\windows\System32\BCMLogon.dll
.
Celkový čas: 2010-02-15 15:47:22 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-15 14:47
ComboFix2.txt 2010-02-11 11:43

Před spuštěním: 38 848 761 856 bytes free
Po spuštění: 38 818 398 208 bytes free

- - End Of File - - F6248570536D03BF92FCC2E5FF50C992

[Caroprd111]

Vyberte si jeden antivir, zbývající odinstalujte.

[martinv1]

stále se to ale chová stejně

[Caroprd111]

Dejte log z Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878

[martinv1]

první log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-16 14:37:42
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.ADM\LOCALS~1\Temp\uwkoipow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

[Caroprd111]

OK, počkám na log č. 2

[martinv1]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-16 17:18:00
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.ADM\LOCALS~1\Temp\uwkoipow.sys


---- Kernel code sections - GMER 1.0.15 ----

? SYMEFA.SYS Systém nemůže nalézt uvedený soubor. !

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

[Caroprd111]

Stáhněte RootRepeal http://rootrepeal.googlepages.com/RootRepeal.zip

• Rozbalte a spusťte, klikněte na záložku Drivers, poté klikněte na Scan.
• Po dokončení skenu klikněte na Save Report, tím uložíte log, zkopírujte ho sem.

[martinv1]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/17 17:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF8561000 Size: 53248 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF84F2000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2180352 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF8466000 Size: 95360 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF8959000 Size: 16384 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8A61000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8951000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF8631000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF85E1000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF85A1000 Size: 53248 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF8955000 Size: 9344 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF8591000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF847E000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF8A47000 Size: 5888 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF815C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A71000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF81C0000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8C45000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF7BC9000 Size: 143360 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF8446000 Size: 128896 File Visible: - Signed: -
Status: -

Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8A5D000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF84A4000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF87F1000 Size: 21120 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000 Size: 131968 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF85C1000 Size: 52736 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF85D1000 Size: 41856 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF8A45000 Size: 5504 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF8541000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF8901000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8A41000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF825A000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF83CE000 Size: 92032 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF88F1000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8571000 Size: 42240 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF8919000 Size: 19072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF89F1000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF82F9000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF8314000 Size: 182912 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF8929000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF8341000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2180352 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8C76000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF8551000 Size: 61056 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF87C9000 Size: 18688 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF84E1000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCIIde.sys
Image Path: PCIIde.sys
Address: 0xF8B09000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\Drivers\PCIIDEX.SYS
Address: 0xF87C1000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF84C3000 Size: 119936 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2180352 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF87D1000 Size: 19936 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2180352 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF8229000 Size: 196864 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF85F1000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF7C9C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF8434000 Size: 73472 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF8A51000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF83E5000 Size: 323584 File Visible: No Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF8601000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF81D0000 Size: 364160 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8A57000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF88D1000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF8611000 Size: 57600 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF827D000 Size: 143360 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF8829000 Size: 26496 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF88A1000 Size: 20480 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF88E9000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xF8194000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8581000 Size: 52352 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF8941000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF8A43000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2180352 File Visible: - Signed: -
Status: -

[Caroprd111]

Stáhněte MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Start > Spustit (Win + R)

• Vyskočí okénko, zkopírujte do něj:

Kód: Vybrat vše

"%userprofile%\plocha\mbr" -t

• Klikněte na OK

• Vytvoří se log s názvem mbr.log, vložte ho sem.

[martinv1]

tak tady to je

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

[Caroprd111]

Co jste dělal s PC, než nastal problém


Stáhněte a uložte na plochu SystemLook http://jpshortstuff.247fixes.com/SystemLook.exe

• Spusťte, do okénka zkopírujte text z bílého okna.

Kód: Vybrat vše

:filefind
Winlogon
userinit

:regfind
Winlogon
userinit

• klikněte na Look, po dokončení skenu na Vás vyskočí log, zkopírujte ho sem.

[martinv1]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:15 on 19/02/2010 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "Winlogon"
No files found.

Searching for "userinit"
No files found.

========== regfind ==========

Searching for "Winlogon"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\MUILanguages\FileVersions\0405\winlogon.exe]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\winlogon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu\StartMenuLogoff\Policy\LogonType]
"RegKey"="Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1614895754-706699826-839522115-1003\Components\F6C23769F24B6DD4BB79D38958E8DBC0]
"CB199C6361107774CAC7B4A2D5C7D6FE"="C:\Program Files\Windows XP MUI Pack\CS.MUI\I386\WINLOGON.EXE.MU_"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/AllocateCDRoms]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/AllocateDASD]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/AllocateFloppies]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/CachedLogonsCount]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/ForceUnlockLogon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/PasswordExpiryWarning]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/ScRemoveOption]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\winlogon.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Winlogon]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\winlogon.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Winlogon]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\winlogon.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Winlogon]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\MUILanguages\FileVersions\0405\winlogon.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_USERS\S-1-5-21-1614895754-706699826-839522115-500\Software\Microsoft\Windows\CurrentVersion\MUILanguages\FileVersions\0405\winlogon.exe]
[HKEY_USERS\S-1-5-21-1614895754-706699826-839522115-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\MUILanguages\FileVersions\0405\winlogon.exe]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

Searching for "userinit"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\MUILanguages\FileVersions\0405\userinit.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1614895754-706699826-839522115-1003\Components\F707BD6B0A3828A4FB56B530E6FC8EC1]
"CB199C6361107774CAC7B4A2D5C7D6FE"="C:\Program Files\Windows XP MUI Pack\CS.MUI\I386\USERINIT.EXE.MU_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\userinit.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Userinit]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Userinit]
"EventMessageFile"="%SystemRoot%\System32\userinit.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\userinit.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Userinit]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Userinit]
"EventMessageFile"="%SystemRoot%\System32\userinit.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\userinit.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Userinit]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Userinit]
"EventMessageFile"="%SystemRoot%\System32\userinit.exe"
[HKEY_USERS\S-1-5-21-1614895754-706699826-839522115-500\Software\Microsoft\Windows\CurrentVersion\MUILanguages\FileVersions\0405\userinit.exe]

-=End Of File=-