VIRY.CZ

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\atapi.sys|c:\windows\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

ComboFix 10-01-30.05 - Owner 31.01.2010 13:14:28.4.2 - x86
Systém Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.2030.1627 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100130-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\cc_20100130_155613.reg

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 )))))))))))))))))))))))))))))))
.

2010-01-31 08:38 . 2010-01-31 08:38 -------- d--h--w- c:\windows\PIF
2010-01-31 08:23 . 2010-01-31 08:23 -------- d-----w- c:\program files\Lavalys
2010-01-30 17:22 . 2010-01-30 17:22 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-01-30 17:21 . 2010-01-30 17:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-30 17:20 . 2010-01-30 17:20 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-01-30 17:19 . 2010-01-30 17:19 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-01-30 17:15 . 2010-01-30 19:05 -------- d-----w- c:\windows\ie8updates
2010-01-30 17:13 . 2010-01-30 17:15 -------- dc-h--w- c:\windows\ie8
2010-01-30 17:12 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-30 17:11 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-30 17:11 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-30 17:10 . 2009-01-07 17:20 265720 ----a-w- c:\windows\system32\msdbg2.dll
2010-01-30 17:10 . 2009-01-07 17:20 134144 -c----w- c:\windows\system32\dllcache\sqmapi.dll
2010-01-30 14:00 . 2010-01-30 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-01-30 14:00 . 2010-01-30 14:01 -------- d-----w- c:\program files\NVIDIA Corporation
2010-01-30 13:39 . 2010-01-30 17:19 -------- d-----w- c:\windows\system32\sk-SK
2010-01-30 13:38 . 2009-12-31 15:33 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-30 13:38 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-30 13:38 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-30 13:38 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-30 13:38 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-30 13:38 . 2009-03-08 03:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2010-01-30 13:38 . 2009-03-08 03:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-30 13:38 . 2009-02-06 20:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-30 13:32 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-01-30 13:32 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-01-30 13:32 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-01-29 20:22 . 2010-01-29 20:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-29 19:31 . 2010-01-29 19:31 0 ----a-w- c:\windows\nsreg.dat
2010-01-29 19:31 . 2010-01-29 19:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2010-01-29 17:17 . 2010-01-29 17:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-29 17:17 . 2010-01-30 17:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-29 17:17 . 2010-01-29 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 17:10 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-29 17:10 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-29 17:10 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-29 17:10 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-29 17:10 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-29 17:10 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-29 17:10 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-29 17:10 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-29 17:10 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-29 16:54 . 2010-01-30 16:35 -------- d-----w- c:\program files\trend micro
2010-01-29 16:27 . 2010-01-29 16:27 -------- d-----w- c:\program files\CCleaner
2010-01-29 16:15 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-29 16:07 . 2010-01-29 16:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2010-01-29 16:00 . 2010-01-29 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-01-15 18:32 . 2009-10-21 05:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2010-01-15 18:32 . 2009-10-21 05:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2010-01-15 18:32 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2010-01-12 11:03 . 2010-01-12 11:03 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 11:03 . 2010-01-12 11:03 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 11:03 . 2010-01-12 11:03 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 11:03 . 2010-01-12 11:03 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 11:03 . 2010-01-12 11:03 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-11 21:17 . 2010-01-11 21:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-11 21:17 . 2010-01-11 21:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-11 21:17 . 2010-01-11 21:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-11 21:17 . 2010-01-11 21:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-11 21:17 . 2010-01-11 21:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-11 21:17 . 2010-01-11 21:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-11 20:31 . 2010-01-11 20:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-01-11 20:31 . 2010-01-11 20:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ESET
2010-01-11 20:29 . 2010-01-11 20:29 -------- d-----w- c:\documents and settings\Owner\Application Data\ESET
2010-01-11 19:29 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2010-01-11 19:29 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-01-11 19:29 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-01-11 19:29 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2010-01-11 19:29 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-01-11 19:22 . 2010-01-11 19:22 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-31 11:23 . 2008-09-14 09:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-30 22:54 . 2009-04-11 12:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-30 20:40 . 2009-07-28 14:39 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{FC0EF073-EDB5-4CBE-B92D-5CE9A223F37B}
2010-01-30 20:40 . 2006-01-14 08:57 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{F444439B-B473-48E8-8DE5-4CB929C79A9F}
2010-01-30 14:59 . 2008-08-06 16:33 -------- d-----w- c:\program files\Opera
2010-01-30 14:45 . 2008-09-14 09:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-30 13:46 . 2010-01-30 13:33 -------- d-----w- c:\program files\Windows Desktop Search
2010-01-30 13:33 . 2010-01-30 13:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Desktop Search
2010-01-12 11:03 . 2008-04-30 17:07 592488 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-12 11:03 . 2008-04-30 17:06 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-01-12 11:03 . 2008-01-07 14:37 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 11:03 . 2008-01-03 14:26 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 11:03 . 2008-01-03 14:26 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 11:03 . 2008-01-03 14:26 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 11:03 . 2008-01-03 14:26 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 11:03 . 2008-01-03 14:26 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 11:03 . 2008-01-03 14:26 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-01-11 18:39 . 2008-05-01 12:29 13104 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2006-02-28 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-11 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [29.1.2010 18:10 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [29.1.2010 18:10 20560]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [19.4.2004 15:01 6656]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7iqt6mvz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-31 13:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-31 13:19:00
ComboFix-quarantined-files.txt 2010-01-31 12:18

Pre-Run: 85 131 112 448 bytes free
Post-Run: 85 095 927 808 bytes free

- - End Of File - - AC00D63CEF34C55043BA8CFF0096BE69

problem sa nevyriesil,este stale mi zamrza kurzor.

Vy jste mi tvrdý oříšek

Stáhněte Rootkit Unhooker http://forum.sysinternals.com/uploads/2 ... 300509.rar
-spusťte, klikněte na Report a potom klikněte na tlačítko Scan
-objeví se tabulka, dáte fajfku do všech okének a OK
-až se objeví tabulka "Select Disk for scan", vypněte ji křížkem v pravém horním rohu
-proběhne sken, objeví se okno z výsledky.Označte text a pravým tl. myši zkopírujte výsledky zde

A v přehledu událostí máte stále tu chybu?

>SSDT State
NtClose
Actual Address 0xB4CB76B8
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtCreateKey
Actual Address 0xB4CB7574
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtDeleteValueKey
Actual Address 0xB4CB7A52
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtDuplicateObject
Actual Address 0xB4CB714C
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtOpenKey
Actual Address 0xB4CB764E
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtOpenProcess
Actual Address 0xB4CB708C
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtOpenThread
Actual Address 0xB4CB70F0
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtQueryValueKey
Actual Address 0xB4CB776E
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtRestoreKey
Actual Address 0xB4CB772E
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

NtSetValueKey
Actual Address 0xB4CB78AE
Hooked by: C:\WINDOWS\System32\Drivers\aswSP.SYS

>Shadow
>Processes
>Drivers
>Stealth
>Files
>Hooks
ntkrnlpa.exe+0x0002D504, Type: Inline - RelativeJump at address 0x80504504 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D564, Type: Inline - RelativeJump at address 0x80504564 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D570, Type: Inline - RelativeJump at address 0x80504570 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D63C, Type: Inline - RelativeJump at address 0x8050463C hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D660, Type: Inline - RelativeJump at address 0x80504660 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D724, Type: Inline - RelativeJump at address 0x80504724 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D790, Type: Inline - RelativeJump at address 0x80504790 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D83C, Type: Inline - RelativeJump at address 0x8050483C hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006EC7E, Type: Inline - RelativeJump at address 0x80545C7E hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe-->IofCallDriver, Type: Address change at address 0x80555780 hook handler located in [catchme.sys]
[1632]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump at address 0x7C810E27 hook handler located in [mssrch.dll]
[1632]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2C hook handler located in [unknown_code_page]
[1632]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2D hook handler located in [unknown_code_page]
[3188]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
[3964]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C9163C3 hook handler located in [firefox.exe]
[740]services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification at address 0x01001094 hook handler located in [unknown_code_page]
[740]services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification at address 0x01001114 hook handler located in [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

ano,v prehlade udalosti mam stale tu chybu

co mam dalej urobit?Mam program zavriet bez akcie,alebo mam dat UnHook all?

Zatím ho zavřete, já se musím na ten log pořádně podívat

Znovu stahněte Gmer, všechno zaškrtněte a udělejte log

Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, klikněte na Save a tím si uložíte log,který sem vložíte

-Podle návodu v odkazu provedete druhý sken a log sem také vložíte.

Stáhněte SystemLook
http://jpshortstuff.247fixes.com/SystemLook.exe

-uložte ho na plochu a spustte.
-do okénka zkopírujte

Kód: Vybrat vše

:regfind
atap*.*

filefind
atap*.*

-klikněte na Look, proběhne sken, na konci se zobrazí log, jehož obsah zkopírujete sem

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-31 21:13:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgnoypog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-31 22:29:50
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgnoypog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB4D576B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB4D57574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB4D57A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB4D5714C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB4D5764E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB4D5708C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB4D570F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB4D5776E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB4D5772E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB4D578AE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB73EE380, 0x550AF5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1552] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003E0002
IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003E0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE6 0x78 0x95 0x8A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x44 0x17 0x06 0xC2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAE 0x34 0xBF 0x79 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE6 0x78 0x95 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x44 0x17 0x06 0xC2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAE 0x34 0xBF 0x79 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE6 0x78 0x95 0x8A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x44 0x17 0x06 0xC2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAE 0x34 0xBF 0x79 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:30 on 31/01/2010 by Owner (Administrator - Elevation successful)

========== regfind ==========

Searching for "atap*.*"
No data found.

Searching for "filefind"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\ProgID]
@="HHCtrl.FileFinder.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\VersionIndependentProgID]
@="HHCtrl.FileFinder"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder.1]

Searching for "atap*.*"
No data found.

-=End Of File=-

Zítra na to kouknu, musím to konzultovat s kolegou

ok,zajtra som tu potom az poobede

otestujte na http://www.virustotal.com
C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
C:\WINDOWS\system32\SearchIndexer.exe

Stáhněte SystemLook
http://jpshortstuff.247fixes.com/SystemLook.exe

-uložte ho na plochu a spustte.
-do okénka zkopírujte

Kód: Vybrat vše



:regfind
atapi.sys

-klikněte na Look, proběhne sken, na konci se zobrazí log, jehož obsah zkopírujete sem

To nevadí, já tu občas nakouknu, také tu nejsem pořád

Dobrou noc

http://www.virustotal.com/analisis/171a ... 1265035353
http://www.virustotal.com/analisis/5099 ... 1265035178

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:46 on 01/02/2010 by Owner (Administrator - Elevation successful)

========== regfind ==========

Searching for "atapi.sys"
No data found.

-=End Of File=-

Ještě se blbě zeptám - ale jakou máte myš? Normální nebo přes USB?
Zkoušel jste ji vyměnit?

mys mam usbckovu,vymenit som neskusal,dalsiu mam tiez usbckovu
inak,dnes ako som zapol pocitac tak mi zatial kurzor nemrzne...
vcera som si este vsimol ze dost casto sa pocitac pokusal citat z dvdromky aj ked v nej ziadne medium nebolo,kazdu chvilu mi pri kurzore svietila taka ikonka cdcka.Dnes toto nerobi.
takze skusim restart pc ci to nezacne robit,lebo uz fakt neviem kde moze byt problem.
Vy to ako vidite?Je to zalezitost nejakeho virusu?Alebo to moze byt HW problem?

no zaujimave,restartoval som asi 6x a problem sa zatial neobjavil ani raz,tak toto uz nechapem...

takze,od posledneho restartu ide pocitac zhruba 3 hodiny ale pred pol hodinou zacal zasa mrznut kurzor,asi 10x uz zamrzol,a v Zobrazovaci udalosti mam chybu atapi len 1x

Nějaký problém s atapi tam zřejmě bude

.

Start - spustit - regedit

Najděte klíč
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi]
klikněte nahoře na soubor - exportovat - soubor někam uložte

soubor dejte do zipu a vložte zde jako přílohu

Za chvilku Vám zde vložím ještě jeden návod na vyčištění Mbr sektorů

Naughty píše: Stahni HxD portable http://mh-nexus.de/en/downloads.php?product=HxD na plochu
- rozbal tak aby nebyl v zadne slozce, idealne na Ccko.
- spusti a potvrd vyzvu
- klikne na otvor disk - dulezite: zvol pevne (fyzicke disky) disky
- pevny disk 1
- do nabidky napis, ktery sektor chces otevrit
- zmacknes normalne enter, program navede primo na sektor
- najdi sektory:

0 (zde budou hex data) tech si nevsimej

Podívejte se na sektory 1 - 63, a napište mi, kde nejsou všude 0

VIRY.CZ

Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi

Re: Prosim o kontrolu logu-pomaly pocitac,mrzne kurzor mysi