Angela.C prosím o pomoc!!!

[dave.felis]

mám s tím něco udělat?

[dave.felis]

to jsou věci, sektory 10,57,60,61 jsou přepsány (jsou nulové)
log z mr.txt:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A2256E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a2256e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
PE file found in sector at 0x0DF8F900 !
Use "Recovery Console" command "fixmbr" to clear infection !

[dave.felis]

pořád to atapi, že....

[dave.felis]

log z mbr :
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xBA908000]<< >>UNKNOWN [0xBA8F8000]<< >>UNKNOWN [0x8A089348]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a089348
Warning: possible MBR rootkit infection !
user & kernel MBR OK
PE file found in sector at 0x0DF8F900 !
Use "Recovery Console" command "fixmbr" to clear infection !

Nebylo by jednodušší zformatovat C čko a nakopnout znovu OS?

[dave.felis]

jj, po odinstalování spdt a restartu

[dave.felis]

ComboFix 10-01-20.05 - DK 22.01.2010 14:06:44.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2046.1708 [GMT 1:00]
Spuštěný z: c:\documents and settings\DK\Plocha\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\setup.exe

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-12-22 do 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-22 10:11 . 2010-01-22 10:11 -------- d-----w- c:\program files\HxD
2010-01-22 10:05 . 2010-01-22 10:05 77312 ----a-w- C:\mbr.exe
2010-01-22 08:56 . 2010-01-22 10:10 -------- d-----w- c:\program files\PowerArchiver
2010-01-21 17:37 . 2010-01-21 17:37 -------- d-----w- c:\program files\Nero
2010-01-21 13:07 . 2004-08-03 22:07 42368 -c--a-w- c:\windows\system32\dllcache\agp440.sys
2010-01-21 13:07 . 2004-08-03 22:07 42368 ------w- c:\windows\system32\drivers\agp440.sys
2010-01-21 12:49 . 2004-08-03 22:07 42368 ----a-w- C:\agp440.sys
2010-01-21 12:49 . 2010-01-21 12:49 -------- d-----w- C:\_OTL
2010-01-21 12:49 . 2004-08-03 21:59 105472 ----a-w- C:\hal.dll
2010-01-21 11:08 . 2010-01-21 11:10 -------- d-----w- c:\program files\trend micro
2010-01-21 11:08 . 2010-01-21 11:08 -------- d-----w- C:\rsit
2010-01-20 16:16 . 2010-01-21 17:39 -------- d-----w- c:\program files\Common Files\Nero
2010-01-06 09:24 . 2010-01-06 09:24 -------- d-----w- c:\program files\Studio V5

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 21:19 . 2009-06-10 08:15 362424 ----a-w- c:\windows\system32\nvModes.dat
2010-01-21 14:53 . 2009-06-10 11:33 -------- d-----w- c:\program files\D-Tools
2010-01-21 14:22 . 2001-10-25 14:00 46016 ----a-w- c:\windows\system32\perfc005.dat
2010-01-21 14:22 . 2001-10-25 14:00 309716 ----a-w- c:\windows\system32\perfh005.dat
2010-01-21 10:24 . 2009-06-22 20:07 -------- d-----w- c:\program files\QIP
2010-01-20 16:00 . 2009-11-28 16:50 -------- d-----w- c:\program files\Bonjour
2010-01-20 15:58 . 2009-06-10 08:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-04 16:20 . 2009-12-04 16:20 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2009-12-03 11:40 . 2009-06-10 12:00 -------- d-----w- c:\program files\MediaCoder
2009-11-28 16:52 . 2009-11-28 16:51 -------- d-----w- c:\program files\iTunes
2009-11-28 16:51 . 2009-11-28 16:51 -------- d-----w- c:\program files\iPod
2009-11-28 16:51 . 2009-11-26 13:34 -------- d-----w- c:\program files\Common Files\Apple
2009-11-26 13:38 . 2009-11-26 13:37 -------- d-----w- c:\program files\QuickTime
2009-11-26 13:33 . 2009-11-26 13:33 -------- d-----w- c:\program files\Apple Software Update
2009-11-24 12:28 . 2009-06-10 12:03 -------- d-----w- c:\program files\Java
2009-11-10 08:02 . 2009-11-09 15:20 80 ---ha-r- c:\windows\ssystda.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-01-21_16.47.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-22 13:11 . 2010-01-22 13:11 16384 c:\windows\Temp\Perflib_Perfdata_c4.dat
+ 2010-01-22 13:06 . 2010-01-22 13:06 16384 c:\windows\Temp\Perflib_Perfdata_7f4.dat
+ 2009-08-06 18:24 . 2009-08-06 18:24 44768 c:\windows\system32\wups2.dll
+ 2009-06-10 07:38 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2009-06-10 07:38 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2008-11-30 10:53 . 2008-11-30 10:53 56496 c:\windows\system32\WBHELP2.DLL
+ 2010-01-21 17:48 . 2009-08-06 18:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-06-06 13:54 . 2008-06-06 13:54 95600 c:\windows\system32\NeroCo.dll
+ 2006-12-19 09:30 . 2006-12-19 09:30 81920 c:\windows\system32\IoctlSvc.exe
+ 2008-06-08 08:37 . 2008-06-08 08:37 11304 c:\windows\system32\drivers\imagedrv.sys
+ 2009-06-10 07:38 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2009-06-10 07:38 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-17 13:49 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-17 13:49 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2010-01-22 08:56 . 2010-01-22 08:56 65952 c:\windows\Installer\{059A0710-5452-4BA7-AFDC-3B9684AA10F0}\POWERARC.exe
+ 2008-06-06 13:54 . 2008-06-06 13:54 972072 c:\windows\UNRecode.exe
+ 2007-03-21 20:02 . 2007-03-21 20:02 972336 c:\windows\UNNeroVision.exe
+ 2007-02-28 15:41 . 2007-02-28 15:41 972336 c:\windows\UNNeroShowTime.exe
+ 2008-06-24 15:06 . 2008-06-24 15:06 972072 c:\windows\UNNeroMediaHome.exe
+ 2007-03-20 20:22 . 2007-03-20 20:22 972336 c:\windows\UNNeroBackItUp.exe
+ 2009-06-10 07:38 . 2009-08-06 18:24 209632 c:\windows\system32\wuweb.dll
+ 2009-06-10 07:38 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2009-06-10 07:38 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2006-03-17 11:45 . 2006-03-17 11:45 802816 c:\windows\system32\imagXRA7.dll
- 2008-07-04 09:23 . 2008-07-04 09:23 802816 c:\windows\system32\imagXRA7.dll
- 2008-07-04 09:23 . 2008-07-04 09:23 258048 c:\windows\system32\imagXR7.dll
+ 2006-03-17 11:45 . 2006-03-17 11:45 258048 c:\windows\system32\imagXR7.dll
- 2008-07-04 09:23 . 2008-07-04 09:23 497296 c:\windows\system32\imagXpr7.dll
+ 2006-03-17 11:45 . 2006-03-17 11:45 497296 c:\windows\system32\imagXpr7.dll
+ 2008-06-08 08:37 . 2008-06-08 08:37 132904 c:\windows\system32\drivers\imagesrv.sys
+ 2009-06-10 07:38 . 2009-08-06 18:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2009-06-10 07:38 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2009-06-10 07:38 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2010-01-22 08:56 . 2010-01-22 08:56 368128 c:\windows\Installer\243713.msi
+ 2009-06-10 07:38 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
- 2008-07-04 09:23 . 2008-07-04 09:23 1757184 c:\windows\system32\imagX7.dll
+ 2006-03-17 11:45 . 2006-03-17 11:45 1757184 c:\windows\system32\imagX7.dll
+ 2009-06-10 07:38 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-01-21 17:36 . 2005-12-05 17:09 2323664 c:\windows\system32\d3dx9_28.dll
+ 2010-01-21 17:39 . 2010-01-21 17:39 7782400 c:\windows\Installer\2d3515.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"nwiz"="nwiz.exe" [2007-05-11 1626112]
"NVHotkey"="nvHotkey.dll" [2007-05-11 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 405504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Bluetooth.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 20:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 15:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-05-14 12:23 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2009-05-14 13:47 2029640 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-24 15:06 1840424 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 15:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-06-08 08:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-06-19 08:53 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2008-07-02 14:16 393216 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 03:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-04-27 14:10 851968 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-14 10:34 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-12-12 18:39 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"ERSvc"=2 (0x2)
"wscsvc"=2 (0x2)
"SharedAccess"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [10.6.2009 12:33 155136]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 14:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 14:49 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 14:47 731840]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [10.6.2009 12:56 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [10.6.2009 12:56 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [10.6.2009 12:56 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [10.6.2009 12:56 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [10.6.2009 12:56 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [10.6.2009 12:56 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [10.6.2009 12:56 115752]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [10.6.2009 12:33 5248]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\DK\Data aplikací\Mozilla\Firefox\Profiles\hsl5mqgw.default\
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 14:12
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A038390]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba759cb8
\Driver\atapi -> 0x8a038390
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
NDIS: Bezdrátová minikarta Dell 1390 WLAN #2 -> SendCompleteHandler -> NDIS.sys @ 0xba5f8ba0
PacketIndicateHandler -> NDIS.sys @ 0xba5e7a0b
SendHandler -> NDIS.sys @ 0xba5fbb31
Warning: possible MBR rootkit infection !
user & kernel MBR OK
PE file found in sector at 0x0DF8F900 !

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3112)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Celkový čas: 2010-01-22 14:16:02 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-01-22 13:15
ComboFix2.txt 2010-01-21 16:50
ComboFix3.txt 2010-01-21 14:30

Před spuštěním: Volných bajtů: 13 623 767 040
Po spuštění: Volných bajtů: 15 539 310 592

- - End Of File - - 4D41DC0D2F1A41B8BB27CD693BC36C22

jo a při vypnutí počítače se mi nevypne, ale hodí mi to hlášku: "Nyní můžete počítač vypnout" a musím ho vypnout tlačítkem, nevíš co s tím?

[dave.felis]

Add-Remove Programs.txt :

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8 - Czech
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe SVG Viewer 3.0
ADSL USB MODEM
Aktualizace systému Windows XP (KB898461)
ALZip
AMR to MP3 Converter 1.4
Apple Application Support
Apple Mobile Device Support
Apple Software Update
µTorrent
Audacity 1.2.6
Audacity 1.3.8 (Unicode)
Balíček ovladače systému Windows - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Bonjour
Broadcom 440x 10/100 Integrated Controller
BSPlayer
Camera RAW Plug-In for EPSON Creativity Suite
Codec Pack - All In 1 6.0.3.0
Conexant HDA D330 MDC V.92 Modem
CX4300_5500_DX4400 Manuál
Dell Resource CD
Dell Touchpad
Dell Wireless WLAN Card
DVD Shrink 3.2
EasyCleaner
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan
EPSON Scan Assistant
ESET NOD32 Antivirus
Free 3GP Video Converter version 2.4
Free WMA to MP3 Converter 1.16
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
HxD Hex Editor version 1.7.7.0
ImagXpress
IntelliSonic Speech Enhancement
iTunes
Java(TM) 6 Update 17
Java(TM) SE Runtime Environment 6 Update 1
JPEG Resampler Vs 4.3
LG PC Suite II
LG USB Modem driver
LogoMaker 2.0
MediaCoder 0.6.0
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6)
Nero 8
neroxml
NVIDIA Drivers
PowerArchiver 2010
PowerDVD
PSPad editor
QIP 2005 8095
QuickSet
QuickTime
RealPlayer
SigmaTel Audio
Skype web features
Skype™ 4.1
Software tiskárny EPSON
Sony Ericsson PC Suite 4.010.00
System Requirements Lab
Teaching-you Project Management Skills
Total Commander (Remove or Repair)
VideoLAN VLC media player 0.8.6c
WebFldrs XP
WIDCOMM Bluetooth Software
Winamp
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime

[dave.felis]

log mbr :

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A09FA50]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a09fa50
Warning: possible MBR rootkit infection !
user & kernel MBR OK
PE file found in sector at 0x0DF8F900 !
Use "Recovery Console" command "fixmbr" to clear infection !

[dave.felis]

vše jsem provedl podle vašeho popisu pane doktore, co teď? log z mbr -t?

[dave.felis]

takže, šlo to tou druhou variantou, a tady je log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A11FD08]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a11fd08
Warning: possible MBR rootkit infection !
user & kernel MBR OK
PE file found in sector at 0x0DF8F900 !
Use "Recovery Console" command "fixmbr" to clear infection !

[dave.felis]

při zadání příkazu mně to hodí control service Failed 1052

[dave.felis]

log z mbr:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A11FD08]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a11fd08
Warning: possible MBR rootkit infection !
user & kernel MBR OK
PE file found in sector at 0x0DF8F900 !
Use "Recovery Console" command "fixmbr" to clear infection !

[dave.felis]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A296008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a296008
Warning: possible MBR rootkit infection !
user & kernel MBR OK
PE file found in sector at 0x0DF8F900 !
Use "Recovery Console" command "fixmbr" to clear infection !

[dave.felis]

kdyžtak už na to kašli, já to příští týden zformátuju a bude klid