VIRY.CZ

Následující kroky proveďte přesně v pořadí jak jsou.

Obrázek

Stáhněte a rozbalte soubor z přílohy na disk c:\ (Cesta souboru bude c:\atapi.sys, nesmí to být archív

)

atapi.zip: (52.45 KiB) Staženo 63 x

Stáhněte Avenger http://www.viry.cz/forum/viewtopic.php?f=15&t=19832 a použijte s tímto skriptem:

Kód: Vybrat vše

Begin copying here:

Files to move:
c:\atapi.sys | c:\windows\system32\drivers\atapi.sys

Log vložte sem.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\atapi.sys|c:\windows\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Dejte nový log z ComboFix (bez skriptu).

ComboFix 10-03-08.02 - Martin 09.03.2010 19:30:21.12.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.895.593 [GMT 1:00]
Spuštěný z: c:\documents and settings\Martin\Plocha\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-02-09 do 2010-03-09 )))))))))))))))))))))))))))))))
.

2010-03-09 12:56 . 2010-03-09 16:44 -------- d-----w- c:\program files\CCleaner
2010-03-09 06:51 . 2010-03-09 06:52 -------- d-----w- C:\rsit
2010-03-07 17:35 . 2009-11-03 12:07 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2010-03-07 17:35 . 2009-11-03 12:07 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2010-03-06 17:53 . 2010-03-06 17:53 -------- d-----w- c:\program files\Winamp Detect
2010-03-06 17:53 . 2010-03-06 17:54 -------- d-----w- c:\program files\Winamp
2010-02-22 19:11 . 2010-02-22 19:13 -------- d-----w- c:\program files\SRDownloader
2010-02-09 11:44 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-02-09 11:44 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2010-02-09 11:44 . 2010-01-04 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-02-09 11:44 . 2010-02-09 11:44 -------- d-----w- c:\program files\K-Lite Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 17:06 . 2007-03-15 20:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-09 16:22 . 2004-08-18 09:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-08 18:11 . 2008-11-13 08:28 -------- d-----w- c:\program files\Common Files\Java
2010-03-08 18:10 . 2008-11-13 07:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 18:10 . 2008-11-13 08:28 -------- d-----w- c:\program files\Java
2010-03-05 21:44 . 2008-11-13 08:07 -------- d-----w- c:\program files\Opera
2010-03-04 07:47 . 2004-08-18 12:00 81394 ----a-w- c:\windows\system32\perfc005.dat
2010-03-04 07:47 . 2004-08-18 12:00 433402 ----a-w- c:\windows\system32\perfh005.dat
2010-02-19 05:43 . 2009-11-19 17:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-18 17:31 . 2009-12-14 20:43 -------- d-----w- c:\program files\IDOS
2010-02-12 10:14 . 2008-12-05 08:14 -------- d-----w- c:\program files\dream58
2010-01-29 22:41 . 2007-03-27 07:43 3208 ----a-w- c:\windows\im32st.dat
2010-01-29 22:13 . 2008-06-18 16:18 -------- d-----w- c:\program files\GoldWave
2009-12-12 14:15 . 2005-10-14 09:56 178176 ----a-w- c:\windows\system32\unrar.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-01-27 01:34 . 2010-02-09 11:38 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-01-27 01:34 . 2010-02-09 11:38 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2010-03-09 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2010-03-09 16:22 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\8fb85d68ee3649be8b622da7b69408ee\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-03-09_13.30.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-09 18:38 . 2010-03-09 18:38 16384 c:\windows\temp\Perflib_Perfdata_11c.dat
+ 2010-03-09 14:35 . 2010-03-09 14:35 68961 c:\windows\system32\drivers\gmer.sys
+ 2010-03-09 14:35 . 2006-11-28 14:23 573440 c:\windows\gmer.exe
+ 2010-03-09 14:35 . 2010-03-09 14:35 565311 c:\windows\gmer.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7561216]
"nwiz"="nwiz.exe" [2006-04-27 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-27 86016]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-08-23 110592]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 544768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 761945]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2006-12-01 1583644]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LANChatbox]
2006-12-01 18:09 1583644 ----a-w- c:\program files\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Maple 9.5\\bin.win\\mserver.exe"=
"c:\\Program Files\\Maple 9.5\\jre\\bin\\java.exe"=
"c:\\Games\\FlatOut 2\\flatout2.exe"=
"c:\\Games\\blobby Volley\\volley.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [30.3.2007 7:20 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [30.3.2007 7:20 5248]
R1 prodrv04;Star Force copy protection driver v4;c:\windows\system32\drivers\prodrv04.sys [2.8.2007 8:10 114496]
R2 dioe;dioe;c:\windows\system32\drivers\dioe.sys [3.5.2007 21:22 6880]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 8:21 468224]
R3 SynMini;USB2.0 1.3M Web Cam;c:\windows\system32\drivers\SynMini.sys [15.3.2007 21:38 720470]
R3 SynScan;USB2.0 1.3M Web Cam Still Image;c:\windows\system32\drivers\SynScan.sys [15.3.2007 21:38 8278]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S2 pardrive;pardrive;c:\windows\system32\drivers\pardrive.sys [3.5.2007 21:22 5214]
S3 adusbmdm6501;AnyDATA CDMA USB Modem Driver (PID 6501);c:\windows\system32\drivers\adusbmdm65.sys [30.5.2007 17:47 64896]
S3 adusbser6501;AnyDATA CDMA USB Serial Port (PID 6501);c:\windows\system32\drivers\adusbser65.sys [30.5.2007 17:48 64896]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [27.2.2009 15:13 20608]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 21:22 34064]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [20.3.2008 15:59 18176]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2010-03-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 13:13]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: Add to &Teleport - c:\program files\Teleport Pro\teleport.htm
IE: Download &Flash Movies
IE: E&xportovat do aplikace Microsoft Excel
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\windows\WebIE.dll
FF - ProfilePath - c:\documents and settings\Martin\Data aplikací\Mozilla\Firefox\Profiles\g6m15sr4.default\
FF - prefs.js: browser.search.selectedEngine - VyhledĂˇvĂˇnĂ videĂ ve sluĹľbÄ› YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\DivX\1\DivX Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Opera\program\plugins\np-mswmp.dll
FF - plugin: c:\program files\Opera\program\plugins\np-mswmp.dll
FF - plugin: c:\program files\Opera\program\plugins\np32dsw.dll
FF - plugin: c:\program files\Opera\program\plugins\npdeploytk.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\npnul32.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll

---- NASTAVENÍ FIREFOXU ----
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: network.http.max-persistent-connections-per-server - 4
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 19:38
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8504F6C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7500fc3
\Driver\ACPI -> ACPI.sys @ 0xf732bcb8
\Driver\atapi -> 0x8504f6c8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0 SendCompleteHandler -> NDIS.sys @ 0xf7193ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7182a0b
SendHandler -> NDIS.sys @ 0xf7196b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3708)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Altap Salamander 2.5\plugins\salamext.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\sm56hlpr.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
c:\windows\ATK0100\ATKOSD.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2010-03-09 19:44:20 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-09 18:44
ComboFix2.txt 2010-03-09 15:20
ComboFix3.txt 2010-03-09 14:08
ComboFix4.txt 2010-03-09 13:32

Před spuštěním: 2 691 928 064
Po spuštění: 2 651 312 128

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - D285E8C9624FCF2BFEE5894657C879EC

Následující kroky proveďte přesně v pořadí jak jsou.

Obrázek

Stáhněte a rozbalte soubor z přílohy na disk c: (Cesta souboru bude c:\atapi.sys, nesmí to být archív

) Poté na disku c: vytvořte složku c:\a a také do ní rozbalte atapi.sys

atapi.zip: (52.45 KiB) Staženo 67 x

Stáhněte Avenger http://www.viry.cz/forum/viewtopic.php?f=15&t=19832 a použijte s tímto skriptem:

Kód: Vybrat vše

Begin copying here:

Files to move:
c:\atapi.sys | c:\windows\system32\drivers\atapi.sys
c:\a\atapi.sys | c:\windows\SoftwareDistribution\Download\8fb85d68ee3649be8b622da7b69408ee\atapi.sys

Log vložte sem.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\atapi.sys|c:\windows\system32\drivers\atapi.sys" completed successfully.
File move operation "c:\a\atapi.sys|c:\windows\SoftwareDistribution\Download\8fb85d68ee3649be8b622da7b69408ee\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Dejte nový log z Combofix (bez skriptu).

ComboFix 10-03-08.02 - Martin 09.03.2010 20:14:21.13.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.895.587 [GMT 1:00]
Spuštěný z: c:\documents and settings\Martin\Plocha\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-02-09 do 2010-03-09 )))))))))))))))))))))))))))))))
.

2010-03-09 19:04 . 2010-03-09 19:07 -------- d-----w- C:\a
2010-03-09 12:56 . 2010-03-09 16:44 -------- d-----w- c:\program files\CCleaner
2010-03-09 06:51 . 2010-03-09 06:52 -------- d-----w- C:\rsit
2010-03-07 17:35 . 2009-11-03 12:07 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2010-03-07 17:35 . 2009-11-03 12:07 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2010-03-06 17:53 . 2010-03-06 17:53 -------- d-----w- c:\program files\Winamp Detect
2010-03-06 17:53 . 2010-03-06 17:54 -------- d-----w- c:\program files\Winamp
2010-02-22 19:11 . 2010-02-22 19:13 -------- d-----w- c:\program files\SRDownloader
2010-02-09 11:44 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-02-09 11:44 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2010-02-09 11:44 . 2010-01-04 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-02-09 11:44 . 2010-02-09 11:44 -------- d-----w- c:\program files\K-Lite Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 17:06 . 2007-03-15 20:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-09 16:22 . 2004-08-18 08:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-08 18:11 . 2008-11-13 08:28 -------- d-----w- c:\program files\Common Files\Java
2010-03-08 18:10 . 2008-11-13 07:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 18:10 . 2008-11-13 08:28 -------- d-----w- c:\program files\Java
2010-03-05 21:44 . 2008-11-13 08:07 -------- d-----w- c:\program files\Opera
2010-03-04 07:47 . 2004-08-18 12:00 81394 ----a-w- c:\windows\system32\perfc005.dat
2010-03-04 07:47 . 2004-08-18 12:00 433402 ----a-w- c:\windows\system32\perfh005.dat
2010-02-19 05:43 . 2009-11-19 17:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-18 17:31 . 2009-12-14 20:43 -------- d-----w- c:\program files\IDOS
2010-02-12 10:14 . 2008-12-05 08:14 -------- d-----w- c:\program files\dream58
2010-01-29 22:41 . 2007-03-27 07:43 3208 ----a-w- c:\windows\im32st.dat
2010-01-29 22:13 . 2008-06-18 16:18 -------- d-----w- c:\program files\GoldWave
2009-12-12 14:15 . 2005-10-14 09:56 178176 ----a-w- c:\windows\system32\unrar.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-01-27 01:34 . 2010-02-09 11:38 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-01-27 01:34 . 2010-02-09 11:38 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2010-03-09 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\8fb85d68ee3649be8b622da7b69408ee\atapi.sys
[7] 2010-03-09 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2010-03-09 16:22 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-03-09_13.30.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-09 19:22 . 2010-03-09 19:22 16384 c:\windows\temp\Perflib_Perfdata_79c.dat
+ 2010-03-09 14:35 . 2010-03-09 14:35 68961 c:\windows\system32\drivers\gmer.sys
+ 2010-03-09 14:35 . 2006-11-28 14:23 573440 c:\windows\gmer.exe
+ 2010-03-09 14:35 . 2010-03-09 14:35 565311 c:\windows\gmer.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7561216]
"nwiz"="nwiz.exe" [2006-04-27 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-27 86016]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-08-23 110592]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 544768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 761945]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2006-12-01 1583644]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LANChatbox]
2006-12-01 18:09 1583644 ----a-w- c:\program files\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Maple 9.5\\bin.win\\mserver.exe"=
"c:\\Program Files\\Maple 9.5\\jre\\bin\\java.exe"=
"c:\\Games\\FlatOut 2\\flatout2.exe"=
"c:\\Games\\blobby Volley\\volley.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [30.3.2007 7:20 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [30.3.2007 7:20 5248]
R1 prodrv04;Star Force copy protection driver v4;c:\windows\system32\drivers\prodrv04.sys [2.8.2007 8:10 114496]
R2 dioe;dioe;c:\windows\system32\drivers\dioe.sys [3.5.2007 21:22 6880]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 8:21 468224]
R3 SynMini;USB2.0 1.3M Web Cam;c:\windows\system32\drivers\SynMini.sys [15.3.2007 21:38 720470]
R3 SynScan;USB2.0 1.3M Web Cam Still Image;c:\windows\system32\drivers\SynScan.sys [15.3.2007 21:38 8278]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S2 pardrive;pardrive;c:\windows\system32\drivers\pardrive.sys [3.5.2007 21:22 5214]
S3 adusbmdm6501;AnyDATA CDMA USB Modem Driver (PID 6501);c:\windows\system32\drivers\adusbmdm65.sys [30.5.2007 17:47 64896]
S3 adusbser6501;AnyDATA CDMA USB Serial Port (PID 6501);c:\windows\system32\drivers\adusbser65.sys [30.5.2007 17:48 64896]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [27.2.2009 15:13 20608]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 21:22 34064]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [20.3.2008 15:59 18176]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2010-03-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 13:13]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: Add to &Teleport - c:\program files\Teleport Pro\teleport.htm
IE: Download &Flash Movies
IE: E&xportovat do aplikace Microsoft Excel
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\windows\WebIE.dll
FF - ProfilePath - c:\documents and settings\Martin\Data aplikací\Mozilla\Firefox\Profiles\g6m15sr4.default\
FF - prefs.js: browser.search.selectedEngine - VyhledĂˇvĂˇnĂ videĂ ve sluĹľbÄ› YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\DivX\1\DivX Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Opera\program\plugins\np-mswmp.dll
FF - plugin: c:\program files\Opera\program\plugins\np-mswmp.dll
FF - plugin: c:\program files\Opera\program\plugins\np32dsw.dll
FF - plugin: c:\program files\Opera\program\plugins\npdeploytk.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\npnul32.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll

---- NASTAVENÍ FIREFOXU ----
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: network.http.max-persistent-connections-per-server - 4
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 20:22
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8505A6C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7500fc3
\Driver\ACPI -> ACPI.sys @ 0xf732bcb8
\Driver\atapi -> 0x8505a6c8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0 SendCompleteHandler -> NDIS.sys @ 0xf7193ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7182a0b
SendHandler -> NDIS.sys @ 0xf7196b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(4092)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Altap Salamander 2.5\plugins\salamext.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\sm56hlpr.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
c:\windows\ATK0100\ATKOSD.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2010-03-09 20:28:25 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-09 19:28
ComboFix2.txt 2010-03-09 18:44
ComboFix3.txt 2010-03-09 15:20
ComboFix4.txt 2010-03-09 14:08
ComboFix5.txt 2010-03-09 19:11

Před spuštěním: 2 658 705 408
Po spuštění: 2 618 118 144

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - B4074A0AF0DF7AE4416504CDF69ADEDF

Tohle otestujte na http://www.virustotal.com/cs/
c:\windows\system32\drivers\dioe.sys

(Soubor nehledejte, jenom vložíte tučně označenou cestu, v případě hlášky "Soubor již byl testován" dejte otestovat znovu. Výsledek analýzy sem v podobě odkazu vložte.)

http://www.virustotal.com/cs/analisis/a ... 1268164067

Pokračujte podle návodu AVPTool http://www.viry.cz/forum/viewtopic.php?f=29&t=58179

Dejte pozor, ať nesmažete soubor atapi.sys.

Ten sken jsem zapnul hned vecer. Kdyz jsem k tomu asi za 2 hodiny prisel bylo kompletni 1% a asi dve hodiny to kontrolovalo jednu knihovnu. Tak jsem to zastavil a pustil znova a nechal do rana. Jenze opet kompletni 1% a asi 3 hodiny to kontrolovalo jinou knihovnu. Tak jsem to prerusil a opet spustil (resume). Pak se to uz rozbehlo.
Nevim jestli ma pak takovy sken smysl, ale kdybych to nechal, tak by to mohlo trvat i tyden ovsem jestli by to vubec nekdy dobehlo do konce. Tady je log:

Autoscan: completed 2 minutes ago (events: 6, objects: 603391, time: 02:12:58)
9.3.2010 23:59:51 Task started
10.3.2010 5:04:29 Task stopped
10.3.2010 5:04:45 Task started
10.3.2010 5:46:49 Detected: Trojan.Win32.Agent.dmth C:\Program Files\MATLAB\R2006b\toolbox\rtw\targets\xpc\target\build\xpcblocks\fiforeadbinhdr.mexw32
10.3.2010 5:47:41 Deleted: Trojan.Win32.Agent.dmth C:\Program Files\MATLAB\R2006b\toolbox\rtw\targets\xpc\target\build\xpcblocks\fiforeadbinhdr.mexw32
10.3.2010 7:17:43 Task completed

Stahněte MBAM http://www.viry.cz/forum/viewtopic.php?f=29&t=67229

Podle návodu v odkazu nainstalujte, poté dejte úplný sken.
Nic nemažte MBAM má občas falešné detekce a mohl by smazat např. systémové soubory.
Log vložte sem.

Malwarebytes' Anti-Malware 1.44
Verze databáze: 3847
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

10.3.2010 16:18:24
mbam-log-2010-03-10 (16-18-18).txt

Typ kontroly: Kompletní kontrola (C:\|E:\|F:\|)
Zkontrolované objekty: 417354
Uplynulý čas: 1 hour(s), 26 minute(s), 2 second(s)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 1
Infikované adresáře: 0
Infikované soubory: 2

Infikované procesy v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované moduly v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované klíče registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované hodnoty registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované datové položky registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) ->

Bad: (1) Good: (0) -> No action taken.

Infikované adresáře:
(Nebyly nalezeny žádné škodlivé položky)

Infikované soubory:
C:\System Volume Information\_restore{D8BF08B9-1DA9-4413-9ACE-FB071A0A7B6C}\RP68\A0014809.sys

(Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{D8BF08B9-1DA9-4413-9ACE-FB071A0A7B6C}\RP68\A0015029.sys

(Rootkit.Agent) -> No action taken.

Vše, co našel MBAM smažte a restartujte PC.

Obrázek

Odinstalujte ComboFix přes:
Start >> Spustit, zkopírujte do okénka:

ComboFix /Uninstall

stiskněte Enter

Obrázek

Stáhněte T-Cleaner
http://sweb.cz/Marinus/T-Cleaner.exe

Spusťte, pro potvrzení volby mačkejte klávesu A, Enter
Po použití program vymažte. Pozor,antiviry ho mohou falešně označit za vir.

Stáhněte a uložte, nejlépe na plochu http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Obrázek

Vypněte všechny rezidentní bezpečnostní programy - firewally, antiviry, antispywary

Obrázek

Spusťte aplikaci pod účtem s oprávněním Administrátora (Správce), ihned po startu se zobrází stránka s licenčnímy podmínkami, pokračujte stisknutím tlačítka "Ano"

Obrázek

Dále postupujte dle pokynů, během scanu nespouštějte jiné aplikace a neklikejte do zobrazujícího se okna

Scan by měl trvat okolo 5 - 10 minut, po dokončení Combofix zobrazí log C:\ComboFix.txt , který sem vložte.

Obrázek

Během skenování může být počítač restartován.

VIRY.CZ

Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji

Re: Preventka - děkuji