vir Alureon.B nelze odstranit

[Caroprd111]

Vložte instalační CD do mechaniky.
Otevřete si příkazový řádek (cmd) a vložte tam následující text.

Kód: Vybrat vše

expand x:\i386\atapi.sy_ C:\atapi.sys

x: je je písmeno Vaší DVD mechaniky (pokud máte jiné, změňte).

[Caroprd111]

Pokud jste ještě neprovedl předchozí krok, tak ho nedělejte.

[swobi]

no neprovedl.. proc? a co tedy mam udelat??

[Caroprd111]

Vydržte, napíšu Vám další postup.

[Caroprd111]

Následující kroky proveďte přesně v pořadí jak jsou.


Stáhněte a rozbalte soubor z přílohy na disk c:\ (Cesta souboru bude c:\atapi.sys, nesmí to být archív )

atapi.zip

(11.3 KiB) Staženo 59 x

Stáhněte Avenger http://www.viry.cz/forum/viewtopic.php?f=15&t=19832 a použijte s tímto skriptem:

Kód: Vybrat vše

Begin copying here:

Files to move:
c:\atapi.sys | c:\windows\system32\drivers\atapi.sys

Log vložte sem.

[swobi]

i pres mensi problem ze po resetu programem naskocila zelena obrazovka a byl nutny tvrdy reset nic mene log zde:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Fatal error: integrity of script failed verification check! Security may be compromised. Terminating immediately.
Could not read script file! Status: 0xc000003e (STATUS_DATA_ERROR)

Abort!



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\atapi.sys|c:\windows\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[Caroprd111]

Poprosím o nový log z ComboFixu (bez skriptu).

[swobi]

ComboFix 10-03-16.05 - Jan Svoboda 21.03.2010 20:17:22.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.2046.1395 [GMT 1:00]
Spuštěný z: c:\users\Jan Svoboda\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-02-21 do 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-21 19:24 . 2010-03-21 19:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-21 19:24 . 2010-03-21 19:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-19 14:11 . 2010-03-19 14:11 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\ESET
2010-03-18 18:05 . 2010-03-18 18:05 -------- d-----w- c:\program files\ESET
2010-03-17 20:55 . 2010-03-21 19:24 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\temp
2010-03-17 16:08 . 2010-03-17 16:08 -------- d-----w- c:\program files\trend micro
2010-03-17 16:08 . 2010-03-17 16:08 -------- d-----w- C:\rsit
2010-03-17 14:03 . 2010-03-17 14:09 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-03-17 14:02 . 2010-03-17 14:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\Downloaded Installations
2010-03-17 13:44 . 2010-03-17 13:44 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Malwarebytes
2010-03-17 13:44 . 2010-03-17 13:44 -------- d-----w- c:\programdata\Malwarebytes
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\Common Files\PCSuite
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\Common Files\Nokia
2010-03-14 13:49 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\PC Connectivity Solution
2010-03-14 13:47 . 2010-03-14 13:47 34557984 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Nokia_PC_Suite_7_1_30_8_cze_web.exe
2010-03-14 13:47 . 2010-03-14 13:47 95232 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\pcswpcsi.exe
2010-03-14 13:47 . 2010-03-14 13:47 8192 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstCCD.exe
2010-03-14 13:47 . 2010-03-14 13:47 61440 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-03-14 13:47 . 2010-03-14 13:47 10240 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCS.exe
2010-03-12 16:04 . 2010-03-12 16:04 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\Opera
2010-03-12 16:04 . 2010-03-12 16:04 -------- d-----w- c:\program files\Opera
2010-03-12 14:58 . 2010-03-12 14:58 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-12 14:57 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-12 06:21 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 06:21 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 06:21 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-09 09:13 . 2010-03-09 09:13 96896 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
2010-03-09 09:13 . 2010-03-09 09:13 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-03-09 09:11 . 2010-03-09 09:11 133512 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-02-26 14:05 . 2010-03-10 14:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-24 14:33 . 2010-02-24 15:01 -------- d-----w- c:\program files\Venetica

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 16:57 . 2009-11-26 15:07 35465 ----a-w- c:\programdata\nvModes.dat
2010-03-21 14:55 . 2009-02-03 18:08 -------- d-----w- c:\programdata\Google Updater
2010-03-18 18:48 . 2009-10-20 18:48 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-17 16:44 . 2007-01-08 21:09 606912 ----a-w- c:\windows\system32\perfh005.dat
2010-03-17 16:44 . 2007-01-08 21:09 119398 ----a-w- c:\windows\system32\perfc005.dat
2010-03-14 14:00 . 2010-01-20 15:46 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Nokia
2010-03-14 13:53 . 2010-03-14 13:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-03-14 13:49 . 2010-01-20 15:35 -------- d-----w- c:\program files\Nokia
2010-03-14 13:49 . 2010-01-20 15:36 -------- d-----w- c:\program files\DIFX
2010-03-14 13:47 . 2010-01-20 16:14 -------- d-----w- c:\programdata\Installations
2010-03-12 14:59 . 2007-11-30 14:33 -------- d-----w- c:\programdata\NVIDIA
2010-03-12 13:08 . 2008-09-22 17:39 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\IM
2010-03-12 06:25 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 06:24 . 2009-10-06 12:48 -------- d-----w- c:\programdata\Microsoft Help
2010-03-07 17:27 . 2008-02-04 20:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\DVD Flick
2010-03-05 14:07 . 2008-07-16 07:26 -------- d-----w- c:\program files\Warcraft III
2010-02-26 14:22 . 2008-01-11 17:06 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-26 14:17 . 2008-06-09 14:55 19 ----a-w- c:\users\Jan Svoboda\AppData\Roaming\mdbu.bin
2010-02-26 13:52 . 2007-12-15 10:51 -------- d-----w- c:\program files\CCleaner
2010-02-25 09:21 . 2007-11-30 14:13 120104 ----a-w- c:\users\Jan Svoboda\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 08:57 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-21 13:27 . 2008-03-30 13:23 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Skype
2010-02-21 13:26 . 2008-03-30 13:30 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\skypePM
2010-02-16 18:20 . 2010-02-16 18:19 -------- d-----w- c:\program files\QIP
2010-02-15 17:35 . 2010-02-03 15:39 -------- d-----w- c:\programdata\Nokia
2010-02-15 15:28 . 2008-11-03 15:59 -------- d-----w- c:\program files\Windows Live
2010-02-05 15:47 . 2007-12-25 12:55 -------- d-----w- c:\programdata\Media Center Programs
2010-02-03 16:25 . 2010-02-03 16:25 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Nseries
2010-01-25 12:00 . 2010-02-24 12:38 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 12:38 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 12:38 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 12:38 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 12:38 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 12:38 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 12:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 12:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:21 . 2010-02-24 12:38 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-23 09:26 . 2010-02-24 12:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-22 12:43 . 2009-06-22 17:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 17:14 . 2010-01-20 15:47 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\PC Suite
2010-01-21 17:14 . 2010-01-21 17:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2010-01-21 17:14 . 2010-01-20 15:47 -------- d-----w- c:\programdata\PC Suite
2010-01-21 17:13 . 2010-01-21 17:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-11 21:18 . 2010-01-11 21:18 962664 ----a-w- c:\windows\system32\nvsvc.dll
2010-01-11 21:18 . 2010-01-11 21:18 13679720 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-11 21:18 . 2010-01-11 21:18 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-01-11 21:18 . 2010-01-11 21:18 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-06 15:39 . 2010-02-24 12:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-24 12:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-24 12:38 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 12:38 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 12:38 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 12:38 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 13:30 . 2010-02-24 12:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-22 14:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 14:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 14:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 14:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2006-05-03 10:06 . 2009-03-05 15:35 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2009-03-05 15:35 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 13:30 . 2009-03-05 15:35 216064 --sh--r- c:\windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-17_17.02.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-18 18:05 . 2010-03-18 18:05 10134 c:\windows\Installer\{9DFF6811-C498-45E4-94C8-A0B98FCBEC32}\callmsi.exe
+ 2010-03-21 16:56 . 2010-03-21 16:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-03-17 16:47 . 2010-03-17 16:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-03-21 16:56 . 2010-03-21 16:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-03-17 16:47 . 2010-03-17 16:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-03-18 18:05 . 2010-03-18 18:05 958464 c:\windows\Installer\a3768c.msi
+ 2010-03-18 18:05 . 2010-03-18 18:05 101480 c:\windows\Installer\{9DFF6811-C498-45E4-94C8-A0B98FCBEC32}\egui.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]
"QIP2005"="c:\program files\QIP\qip.exe" [2009-08-13 3276288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 148888]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-09 2140880]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ea,a1,f0,8d,51,56,ca,01

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 lceb;lceb;c:\windows\system32\drivers\idto.sys [x]
R0 utwc;utwc;c:\windows\system32\drivers\dyjrjgmg.sys [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-09 114984]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-09 133512]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-03-09 810120]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-03-09 96896]
S2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;c:\program files\SolidWorks (2)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe [2007-07-23 675840]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Obsah adresáře 'Naplánované úlohy'

2010-03-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 15:10]

2010-03-21 c:\windows\Tasks\User_Feed_Synchronization-{D3BCFB12-CB3B-472F-9F00-1BB3D1BD21C9}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.idnes.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Settings,ProxyServer = 192.168.1.1:80
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jan Svoboda\AppData\Roaming\Mozilla\Firefox\Profiles\2hrjvwbb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.idnes.cz
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 20:24
Windows 6.0.6002 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
Celkový čas: 2010-03-21 20:26:34
ComboFix-quarantined-files.txt 2010-03-21 19:26
ComboFix2.txt 2010-03-17 19:35
ComboFix3.txt 2010-03-17 17:05

Před spuštěním: 7 371 636 736
Po spuštění: 7 332 962 304

- - End Of File - - 49EB80B073D54A600EBDD18E8B269AC5

[Caroprd111]

Pokud nemáte, přesuňte Combofix na plochu

• Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.

Kód: Vybrat vše

Driver::
lceb
utwc

File::
c:\windows\system32\drivers\idto.sys
c:\windows\system32\drivers\dyjrjgmg.sys

• Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
• Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
  
  
• Po aplikaci na Vás vypadne další log,vložte ho sem

Může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci



Vyberte si jeden antivir, zbývající odinstalujte.

[swobi]

jen otazka cemu by vadili dva antiviry? pouze jsem zkousel druhy z duvodu rad kamaradu ze pry je lepsi atd tak jsem chtel vedet jestli problem neodstrani on ale stejne se nepovedlo a tak jsem odinstaloval..

ComboFix 10-03-16.05 - Jan Svoboda 22.03.2010 16:35:55.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.2046.1273 [GMT 1:00]
Spuštěný z: c:\users\Jan Svoboda\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\Jan Svoboda\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\dyjrjgmg.sys"
"c:\windows\system32\drivers\idto.sys"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_lceb
-------\Service_utwc


((((((((((((((((((((((((( Soubory vytvořené od 2010-02-22 do 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-19 14:11 . 2010-03-19 14:11 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\ESET
2010-03-17 20:55 . 2010-03-22 15:47 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\temp
2010-03-17 16:08 . 2010-03-17 16:08 -------- d-----w- c:\program files\trend micro
2010-03-17 16:08 . 2010-03-17 16:08 -------- d-----w- C:\rsit
2010-03-17 14:03 . 2010-03-17 14:09 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-03-17 14:02 . 2010-03-17 14:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\Downloaded Installations
2010-03-17 13:44 . 2010-03-17 13:44 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Malwarebytes
2010-03-17 13:44 . 2010-03-17 13:44 -------- d-----w- c:\programdata\Malwarebytes
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\Common Files\PCSuite
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\Common Files\Nokia
2010-03-14 13:49 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-03-14 13:49 . 2010-03-14 13:49 -------- d-----w- c:\program files\PC Connectivity Solution
2010-03-12 16:04 . 2010-03-12 16:04 -------- d-----w- c:\users\Jan Svoboda\AppData\Local\Opera
2010-03-12 16:04 . 2010-03-12 16:04 -------- d-----w- c:\program files\Opera
2010-03-12 14:58 . 2010-03-12 14:58 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-12 14:57 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-03-12 06:21 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 06:21 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 06:21 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-06 11:57 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-06 11:57 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-26 14:05 . 2010-03-10 14:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-24 14:33 . 2010-02-24 15:01 -------- d-----w- c:\program files\Venetica

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-22 15:47 . 2009-11-26 15:07 35465 ----a-w- c:\programdata\nvModes.dat
2010-03-21 14:55 . 2009-02-03 18:08 -------- d-----w- c:\programdata\Google Updater
2010-03-18 18:48 . 2009-10-20 18:48 19944 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-17 16:44 . 2007-01-08 21:09 606912 ----a-w- c:\windows\system32\perfh005.dat
2010-03-17 16:44 . 2007-01-08 21:09 119398 ----a-w- c:\windows\system32\perfc005.dat
2010-03-14 14:00 . 2010-01-20 15:46 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Nokia
2010-03-14 13:53 . 2010-03-14 13:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-03-14 13:49 . 2010-01-20 15:35 -------- d-----w- c:\program files\Nokia
2010-03-14 13:49 . 2010-01-20 15:36 -------- d-----w- c:\program files\DIFX
2010-03-14 13:47 . 2010-01-20 16:14 -------- d-----w- c:\programdata\Installations
2010-03-14 13:47 . 2010-03-14 13:47 95232 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\pcswpcsi.exe
2010-03-14 13:47 . 2010-03-14 13:47 8192 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstCCD.exe
2010-03-14 13:47 . 2010-03-14 13:47 61440 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-03-14 13:47 . 2010-03-14 13:47 10240 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCS.exe
2010-03-14 13:47 . 2010-03-14 13:47 34557984 ----a-w- c:\programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Nokia_PC_Suite_7_1_30_8_cze_web.exe
2010-03-12 14:59 . 2007-11-30 14:33 -------- d-----w- c:\programdata\NVIDIA
2010-03-12 13:08 . 2008-09-22 17:39 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\IM
2010-03-12 06:25 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 06:24 . 2009-10-06 12:48 -------- d-----w- c:\programdata\Microsoft Help
2010-03-07 17:27 . 2008-02-04 20:02 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\DVD Flick
2010-03-05 14:07 . 2008-07-16 07:26 -------- d-----w- c:\program files\Warcraft III
2010-02-26 14:22 . 2008-01-11 17:06 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-26 14:17 . 2008-06-09 14:55 19 ----a-w- c:\users\Jan Svoboda\AppData\Roaming\mdbu.bin
2010-02-26 13:52 . 2007-12-15 10:51 -------- d-----w- c:\program files\CCleaner
2010-02-25 09:21 . 2007-11-30 14:13 120104 ----a-w- c:\users\Jan Svoboda\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 08:57 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-21 13:27 . 2008-03-30 13:23 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Skype
2010-02-21 13:26 . 2008-03-30 13:30 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\skypePM
2010-02-16 18:20 . 2010-02-16 18:19 -------- d-----w- c:\program files\QIP
2010-02-15 17:35 . 2010-02-03 15:39 -------- d-----w- c:\programdata\Nokia
2010-02-15 15:28 . 2008-11-03 15:59 -------- d-----w- c:\program files\Windows Live
2010-02-05 15:47 . 2007-12-25 12:55 -------- d-----w- c:\programdata\Media Center Programs
2010-02-03 16:25 . 2010-02-03 16:25 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\Nseries
2010-01-25 12:00 . 2010-02-24 12:38 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 12:38 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 12:38 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 12:38 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 12:38 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 12:38 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 12:38 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 12:38 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:21 . 2010-02-24 12:38 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-23 09:26 . 2010-02-24 12:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-22 12:43 . 2009-06-22 17:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 17:14 . 2010-01-20 15:47 -------- d-----w- c:\users\Jan Svoboda\AppData\Roaming\PC Suite
2010-01-21 17:14 . 2010-01-21 17:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2010-01-21 17:14 . 2010-01-20 15:47 -------- d-----w- c:\programdata\PC Suite
2010-01-21 17:13 . 2010-01-21 17:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-11 21:18 . 2010-01-11 21:18 962664 ----a-w- c:\windows\system32\nvsvc.dll
2010-01-11 21:18 . 2010-01-11 21:18 13679720 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-11 21:18 . 2010-01-11 21:18 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-01-11 21:18 . 2010-01-11 21:18 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-06 15:39 . 2010-02-24 12:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-24 12:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 13:30 . 2010-02-24 12:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-22 14:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 14:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 14:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 14:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2006-05-03 10:06 . 2009-03-05 15:35 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2009-03-05 15:35 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 13:30 . 2009-03-05 15:35 216064 --sh--r- c:\windows\System32\nbDX.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]
"QIP2005"="c:\program files\QIP\qip.exe" [2009-08-13 3276288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 148888]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ea,a1,f0,8d,51,56,ca,01

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x]
S2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;c:\program files\SolidWorks (2)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe [2007-07-23 675840]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Obsah adresáře 'Naplánované úlohy'

2010-03-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-03 15:10]

2010-03-21 c:\windows\Tasks\User_Feed_Synchronization-{D3BCFB12-CB3B-472F-9F00-1BB3D1BD21C9}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.idnes.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Settings,ProxyServer = 192.168.1.1:80
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jan Svoboda\AppData\Roaming\Mozilla\Firefox\Profiles\2hrjvwbb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.idnes.cz
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 16:47
Windows 6.0.6002 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'Explorer.exe'(976)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Celkový čas: 2010-03-22 16:55:59 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-22 15:55
ComboFix2.txt 2010-03-21 19:26
ComboFix3.txt 2010-03-17 19:35
ComboFix4.txt 2010-03-17 17:05

Před spuštěním: 6 430 330 880
Po spuštění: 6 285 217 792

- - End Of File - - 1A0F26E22B9F64599EB3E8B970F3D728

[Caroprd111]

Jak to vypadá s PC

[swobi]

probehl kompletni test a pocitac se zda byt cisty:) zajimalo by jak jste to presneji dokazal a jak se priste takovymto potizim vyhnout a co muzete poradit jinak mnohokrat dekuji

[Caroprd111]

Nahradil jsem infikovaný systémový soubor atapi.sys čistým. Těmto situacím se pravděpodobně nevyhnete, ale můžete je omezit tím, že nebudete stahovat cracky, otevírat neznáme emaily atd. Ještě poprosím o nový log z RSIT.

[swobi]

dekuji ze radu, ikdyz obcasnym crackum se asi nevyhnu..

Logfile of random's system information tool 1.06 (written by random/random)
Run by Jan Svoboda at 2010-03-24 15:03:43
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 6 GB (1%) free of 477 GB
Total RAM: 2046 MB (49% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\User_Feed_Synchronization-{D3BCFB12-CB3B-472F-9F00-1BB3D1BD21C9}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-02-01 1377576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Pomocná služba pro přihlášení ke službě Windows Live ID - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-30 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-01 35840]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-01 148888]
"MSSE"=c:\Program Files\Microsoft Security Essentials\msseces.exe [2010-02-21 1093208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"PC Suite Tray"=C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe [2009-06-12 1414144]
"QIP2005"=C:\Program Files\QIP\qip.exe [2009-08-13 3276288]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.scr - open - "C:\Windows\system32\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2010-03-22 16:56:03 ----D---- C:\Windows\temp
2010-03-22 16:56:02 ----A---- C:\ComboFix.txt
2010-03-22 16:47:24 ----D---- C:\$RECYCLE.BIN
2010-03-22 16:34:55 ----A---- C:\Windows\zip.exe
2010-03-22 16:34:55 ----A---- C:\Windows\SWSC.exe
2010-03-22 16:34:55 ----A---- C:\Windows\SWREG.exe
2010-03-22 16:34:55 ----A---- C:\Windows\sed.exe
2010-03-22 16:34:55 ----A---- C:\Windows\PEV.exe
2010-03-22 16:34:55 ----A---- C:\Windows\NIRCMD.exe
2010-03-22 16:34:55 ----A---- C:\Windows\MBR.exe
2010-03-22 16:34:55 ----A---- C:\Windows\grep.exe
2010-03-22 16:34:38 ----A---- C:\Windows\SWXCACLS.exe
2010-03-21 17:53:14 ----D---- C:\Avenger
2010-03-21 17:53:13 ----A---- C:\avenger.txt
2010-03-17 17:48:04 ----D---- C:\Windows\ERDNT
2010-03-17 17:43:20 ----D---- C:\Qoobox
2010-03-17 17:08:55 ----D---- C:\Program Files\trend micro
2010-03-17 17:08:54 ----D---- C:\rsit
2010-03-17 15:03:46 ----D---- C:\Program Files\Common Files\ParetoLogic
2010-03-17 14:44:48 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\Malwarebytes
2010-03-17 14:44:44 ----D---- C:\ProgramData\Malwarebytes
2010-03-14 14:49:41 ----D---- C:\Program Files\Common Files\PCSuite
2010-03-14 14:49:37 ----D---- C:\Program Files\Common Files\Nokia
2010-03-14 14:49:18 ----D---- C:\Program Files\PC Connectivity Solution
2010-03-12 17:04:22 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\Opera
2010-03-12 17:04:14 ----D---- C:\Program Files\Opera
2010-03-12 15:58:18 ----D---- C:\Program Files\NVIDIA Corporation
2010-03-12 15:57:07 ----A---- C:\Windows\system32\browserchoice.exe
2010-03-12 07:21:59 ----A---- C:\Windows\system32\nshhttp.dll
2010-03-12 07:21:57 ----A---- C:\Windows\system32\httpapi.dll
2010-03-06 12:57:12 ----A---- C:\Windows\system32\ntoskrnl.exe
2010-03-06 12:57:12 ----A---- C:\Windows\system32\ntkrnlpa.exe
2010-02-26 15:05:02 ----D---- C:\Program Files\Microsoft Security Essentials

======List of files/folders modified in the last 1 months======

2010-03-24 15:03:44 ----D---- C:\Windows\Prefetch
2010-03-24 14:44:30 ----SHD---- C:\System Volume Information
2010-03-24 14:40:48 ----D---- C:\Windows\system32\catroot
2010-03-24 14:40:45 ----D---- C:\Windows\winsxs
2010-03-24 14:32:58 ----D---- C:\Windows\Tasks
2010-03-23 18:58:54 ----D---- C:\Windows
2010-03-23 17:57:44 ----D---- C:\ProgramData\Google Updater
2010-03-22 16:56:04 ----D---- C:\Windows\system32\drivers
2010-03-22 16:47:27 ----A---- C:\Windows\system.ini
2010-03-22 16:44:06 ----D---- C:\Windows\system32\config
2010-03-22 16:40:30 ----D---- C:\Windows\System32
2010-03-22 16:40:30 ----D---- C:\Windows\AppPatch
2010-03-22 16:40:29 ----D---- C:\Program Files\Common Files
2010-03-22 16:05:20 ----SHD---- C:\Windows\Installer
2010-03-22 16:05:11 ----D---- C:\ProgramData
2010-03-22 16:05:10 ----RD---- C:\Program Files
2010-03-21 20:17:04 ----D---- C:\Windows\system32\catroot2
2010-03-17 20:22:03 ----D---- C:\Boot
2010-03-17 17:44:38 ----D---- C:\Windows\inf
2010-03-17 17:44:38 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-03-17 15:03:57 ----D---- C:\Windows\system32\Tasks
2010-03-17 14:57:49 ----AD---- C:\ProgramData\TEMP
2010-03-17 14:33:37 ----D---- C:\Windows\Logs
2010-03-14 15:00:01 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\Nokia
2010-03-14 14:51:13 ----D---- C:\Windows\SoftwareDistribution
2010-03-14 14:49:39 ----D---- C:\Program Files\Nokia
2010-03-14 14:49:29 ----D---- C:\Program Files\DIFX
2010-03-14 14:49:28 ----DC---- C:\Windows\system32\DRVSTORE
2010-03-14 14:47:53 ----D---- C:\ProgramData\Installations
2010-03-12 16:55:54 ----D---- C:\Program Files\Mozilla Firefox
2010-03-12 15:59:08 ----D---- C:\ProgramData\NVIDIA
2010-03-12 14:08:22 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\IM
2010-03-12 13:45:43 ----D---- C:\Windows\system32\LogFiles
2010-03-12 11:30:02 ----D---- C:\Windows\Debug
2010-03-12 07:25:54 ----D---- C:\Program Files\Windows Mail
2010-03-12 07:25:54 ----D---- C:\Program Files\Movie Maker
2010-03-12 07:24:49 ----D---- C:\ProgramData\Microsoft Help
2010-03-07 18:27:45 ----D---- C:\Users\Jan Svoboda\AppData\Roaming\DVD Flick
2010-03-05 15:07:33 ----D---- C:\Program Files\Warcraft III
2010-03-02 06:30:12 ----A---- C:\Windows\system32\mrt.exe
2010-02-26 15:33:15 ----A---- C:\Windows\win.ini
2010-02-26 15:22:28 ----D---- C:\Program Files\Hewlett-Packard
2010-02-26 14:52:16 ----D---- C:\Program Files\CCleaner
2010-02-25 15:11:54 ----D---- C:\Windows\rescache
2010-02-25 10:17:27 ----RSD---- C:\Windows\Fonts
2010-02-25 10:17:27 ----D---- C:\Windows\system32\cs-CZ

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ElbyCDIO;ElbyCDIO Driver; C:\Windows\System32\Drivers\ElbyCDIO.sys [2007-02-28 15440]
R1 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2009-12-02 149040]
R2 atksgt;atksgt; C:\Windows\system32\DRIVERS\atksgt.sys [2007-12-26 278984]
R2 Hardlock;Hardlock; \??\C:\Windows\system32\drivers\hardlock.sys [2004-11-05 670208]
R2 lirsgt;lirsgt; C:\Windows\system32\DRIVERS\lirsgt.sys [2007-12-26 25416]
R3 HdAudAddService;Ovladač funkce Microsoft 1.1 UAA pro službu zvuku High Definition Audio; C:\Windows\system32\drivers\HdAudio.sys [2009-04-11 236544]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2010-01-12 11586280]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2008-01-31 47360]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2009-12-20 234016]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S2 eamonm;eamonm; C:\Windows\system32\DRIVERS\eamonm.sys []
S3 AnyDVD;AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys []
S3 catchme;catchme; \??\C:\Users\JANSVO~1\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Dekodér zvuků DRM jádra společnosti Microsoft; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 ElbyCDFL;ElbyCDFL; C:\Windows\System32\Drivers\ElbyCDFL.sys [2005-05-03 27392]
S3 ElbyDelay;ElbyDelay; C:\Windows\System32\Drivers\ElbyDelay.sys [2007-02-16 11984]
S3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2007-11-30 15600]
S3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2008-05-13 25280]
S3 k750bus;Sony Ericsson 750 driver (WDM); C:\Windows\system32\DRIVERS\k750bus.sys [2005-02-11 55216]
S3 MSKSSRV;Server proxy služby datových proudů Microsoft; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Server proxy hodin datových proudů Microsoft; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Server proxy správce kvality datových proudů Microsoft; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Konvertor jímka-jímka typu T datových proudů Microsoft; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 nmwcd;Nokia USB Phone Parent; C:\Windows\system32\drivers\ccdcmb.sys [2009-02-09 17664]
S3 nmwcdc;Nokia USB Generic; C:\Windows\system32\drivers\ccdcmbo.sys [2009-02-09 22016]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\Windows\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 upperdev;upperdev; C:\Windows\system32\DRIVERS\usbser_lowerflt.sys [2009-02-09 7808]
S3 usbscan;Ovladač skeneru USB; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 usbser;USB Modem Driver; C:\Windows\system32\drivers\usbser.sys [2009-04-11 27648]
S3 UsbserFilt;UsbserFilt; C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys [2009-02-09 7808]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-10-01 40448]
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys []
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2009-12-09 17904]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2010-01-11 129640]
R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2008-11-26 66872]
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007; C:\Program Files\SolidWorks (2)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe [2007-07-23 675840]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-06-02 637952]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-30 183280]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2008-01-28 85096]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-15 655624]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-16 271920]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2008-09-22 79360]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

[Caroprd111]

Stahněte OTL http://oldtimer.geekstogo.com/OTL.exe

• Spusťte program, poté klikněte na Run Scan
• Po dokončení, sem vložte logy OTL.Txt a Extras.txt