Security Tool

[cabinho]

Zdravím...

Do noťasu se mi natáhnul Security Tool. Myslim že to nebude jediná havěť co se mi tam dostala, takže mám s tím velký problémy. Musim teď pracovat v nouzáku.

Jestli mi někdo poradí co s tím, tak budu moc rád. PC ovládám spíš jen uživatelsky.

Díky za každou radu

[motji]

Hezké dopoledne
V nouzovém režimu provedte log ze Rsitu, viz můj podpis. Mrkneme na to

[cabinho]

Použil sem RSIT... takže sem házim log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by UZIVATEL at 2010-04-20 08:40:44
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 16 GB (58%) free of 27 GB
Total RAM: 502 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:52, on 20.4.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\UZIVATEL\Plocha\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\trend micro\UZIVATEL.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=80744
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe smvh.odo truux
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [72836733] C:\DOCUME~1\ALLUSE~1\DATAAP~1\72836733\72836733.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\UZIVATEL\reader_s.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [6thm] C:\DOCUME~1\UZIVATEL\LOCALS~1\Temp\32kj.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BD6442F-65F0-409C-BE7D-73A451A7E303}: NameServer = 192.168.111.1,212.71.131.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BD6442F-65F0-409C-BE7D-73A451A7E303}: NameServer = 192.168.111.1,212.71.131.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{3BD6442F-65F0-409C-BE7D-73A451A7E303}: NameServer = 192.168.111.1,212.71.131.6
O20 - Winlogon Notify: reset5c - reset5c.dll (file missing)
O21 - SSODL: LGootkitSSO - {5515E563-CDB1-49B1-A53C-89A9B7509B95} - C:\WINDOWS\System32\lmsxsltsso.dll (file missing)
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\system32\svshost.dll (file missing)
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Systems Mon (SystemsMon) - Unknown owner - C:\WINDOWS\system32\drivers\system.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 6754 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"preload"=C:\Windows\RUNXMLPL.exe [2005-05-19 32768]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-01-23 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-01-23 126976]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-04-15 77824]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-04 102490]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-04 708698]
"EPM-DM"=c:\acer\epm\epm-dm.exe [2005-06-01 192512]
"ePowerManagement"=C:\Acer\ePM\ePM.exe [2005-03-15 2893824]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-18 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-18 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-18 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-18 455168]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-07-15 32768]
"LaunchAp"=C:\Program Files\Launch Manager\LaunchAp.exe [2005-07-25 32768]
"PowerKey"=C:\Program Files\Launch Manager\PowerKey.exe [2002-08-30 94208]
"LManager"=C:\Program Files\Launch Manager\HotkeyApp.exe [2005-06-06 69632]
"CtrlVol"=C:\Program Files\Launch Manager\CtrlVol.exe [2003-09-16 20480]
"LMgrOSD"=C:\Program Files\Launch Manager\OSDCtrl.exe [2005-07-25 241664]
"Wbutton"=C:\Program Files\Launch Manager\Wbutton.exe [2005-07-25 81920]
"eRecoveryService"=C:\Program Files\Acer\eRecovery\Monitor.exe [2005-06-29 352256]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]
"ToolBoxFX"=C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe [2006-10-06 53248]
"Regedit32"=C:\WINDOWS\system32\regedit.exe [2010-04-15 182272]
"MobileConnect"=C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe [2008-11-04 2087424]
"reader_s"=C:\WINDOWS\System32\reader_s.exe [2010-04-15 31744]
"avast5"=C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2010-04-14 2790472]
"syncman"=c:\windows\system32\wuaucldt.exe []
"72836733"=C:\DOCUME~1\ALLUSE~1\DATAAP~1\72836733\72836733.exe [2010-04-19 1162752]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"6thm"=C:\DOCUME~1\UZIVATEL\LOCALS~1\Temp\32kj.exe [2010-04-14 47616]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"reader_s"=C:\Documents and Settings\UZIVATEL\reader_s.exe [2010-04-15 31744]
"SVCHOST.EXE"=C:\WINDOWS\system32\drivers\svchost.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-01-23 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset5c]
reset5c.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
LGootkitSSO - {5515E563-CDB1-49B1-A53C-89A9B7509B95} - C:\WINDOWS\System32\lmsxsltsso.dll []
SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\system32\svshost.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
r32ldets.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"C:\WINDOWS\system32\wininet.exe"="C:\WINDOWS\system32\wininet.exe:*:Enabled:Windows XP Update"
"%windir%\system32\lsass.exe"="%windir%\system32\lsass.exe:*:Enabled:Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71a630ec-4658-11df-9046-0014a462813c}]
shell\AutoRun\command - F:\setup_vmc_lite.exe /checkApplicationPresence

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71a630ed-4658-11df-9046-0014a462813c}]
shell\AutoRun\command - F:\setup_vmc_lite.exe /checkApplicationPresence

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{903a62d1-45a1-11df-9045-0014a462813c}]
shell\AutoRun\command - F:\setup_vmc_lite.exe /checkApplicationPresence

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{903a62d2-45a1-11df-9045-0014a462813c}]
shell\AutoRun\command - F:\setup_vmc_lite.exe /checkApplicationPresence

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8fb3f48-4213-11df-9043-0014a462813c}]
shell\AutoRun\command - F:\setup_vmc_lite.exe /checkApplicationPresence

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8fb3f49-4213-11df-9043-0014a462813c}]
shell\AutoRun\command - F:\setup_vmc_lite.exe /checkApplicationPresence


======List of files/folders created in the last 1 months======

2010-04-20 08:40:44 ----D---- C:\rsit
2010-04-20 08:40:44 ----D---- C:\Program Files\trend micro
2010-04-19 14:32:24 ----N---- C:\WINDOWS\system32\eRLog.ini
2010-04-19 14:30:58 ----SHD---- C:\FOUND.000
2010-04-19 13:12:24 ----D---- C:\Documents and Settings\All Users\Data aplikací\72836733
2010-04-19 03:00:28 ----HD---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-18 14:26:08 ----HD---- C:\WINDOWS\$NtUninstallKB979309$
2010-04-16 09:23:40 ----A---- C:\WINDOWS\JCMKR32.INI
2010-04-15 15:19:56 ----A---- C:\WINDOWS\gsautgixlwdlmhb2uj8cxvz0.ini
2010-04-15 15:12:22 ----A---- C:\WINDOWS\system32\regedit.exe
2010-04-15 09:47:34 ----A---- C:\WINDOWS\system32\aswBoot.exe
2010-04-15 09:47:14 ----D---- C:\Program Files\Alwil Software
2010-04-15 09:47:14 ----D---- C:\Documents and Settings\All Users\Data aplikací\Alwil Software
2010-04-15 08:23:15 ----A---- C:\WINDOWS\system32\reader_s.exe
2010-04-14 14:09:02 ----D---- C:\Documents and Settings\All Users\Data aplikací\Vodafone
2010-04-14 14:08:52 ----D---- C:\Program Files\Vodafone
2010-04-14 10:06:52 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #5.txt
2010-04-14 08:29:39 ----SHD---- C:\WINDOWS\CSC
2010-04-14 08:15:54 ----A---- C:\WINDOWS\ntbtlog.txt
2010-04-13 19:26:22 ----A---- C:\WINDOWS\opedehipenoxok.dll
2010-04-12 21:25:31 ----SHD---- C:\WINDOWS\system32\lowsec
2010-04-12 19:35:23 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
2010-04-12 12:55:42 ----D---- C:\Documents and Settings\UZIVATEL\Data aplikací\Cestak
2010-04-12 08:07:03 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #2.txt
2010-04-12 07:46:03 ----HD---- C:\WINDOWS\$NtUninstallKB961118$
2010-04-11 21:37:39 ----HD---- C:\Documents and Settings\All Users\Data aplikací\CanonBJ
2010-04-11 21:37:26 ----A---- C:\WINDOWS\system32\CNMLM94.DLL
2010-04-11 11:14:24 ----D---- C:\WINDOWS\system32\XPSViewer
2010-04-11 11:14:18 ----D---- C:\Program Files\MSBuild
2010-04-11 11:14:15 ----D---- C:\WINDOWS\system32\en-US
2010-04-11 11:14:06 ----D---- C:\Program Files\Reference Assemblies
2010-04-11 11:13:25 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2010-04-11 11:13:25 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2010-04-11 11:13:25 ----N---- C:\WINDOWS\system32\prntvpt.dll
2010-04-07 15:09:49 ----A---- C:\WINDOWS\iun6002.exe
2010-04-07 15:09:41 ----D---- C:\Program Files\Codec Pack - All In 1
2010-04-07 15:09:40 ----D---- C:\WINDOWS\system32\languages
2010-04-07 15:08:52 ----A---- C:\WINDOWS\Codec Pack - All In 1 Setup Log.txt
2010-04-07 15:06:59 ----D---- C:\Documents and Settings\UZIVATEL\Data aplikací\vlc
2010-04-07 15:05:46 ----D---- C:\Program Files\VideoLAN
2010-04-07 10:41:36 ----A---- C:\WINDOWS\ChkMail.Ini
2010-04-07 09:14:26 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
2010-04-07 09:12:25 ----D---- C:\Documents and Settings\UZIVATEL\Data aplikací\Vodafone
2010-04-07 09:12:21 ----D---- C:\Documents and Settings\All Users\Data aplikací\InstallShield
2010-04-03 19:02:08 ----D---- C:\Documents and Settings\UZIVATEL\Data aplikací\Opera
2010-04-03 19:01:44 ----D---- C:\Program Files\Opera
2010-04-02 12:25:58 ----D---- C:\Documents and Settings\UZIVATEL\Data aplikací\Macromedia
2010-04-02 11:35:34 ----N---- C:\WINDOWS\system32\browserchoice.exe
2010-03-31 11:32:43 ----HD---- C:\WINDOWS\$NtUninstallKB980182$

======List of files/folders modified in the last 1 months======

2010-04-19 13:58:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-19 11:50:36 ----A---- C:\WINDOWS\ModemLog_SoftV90 Data Fax Modem with SmartCP.txt
2010-04-18 14:27:34 ----A---- C:\WINDOWS\imsins.BAK
2010-04-12 08:07:42 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-26 09:11:20 ----A---- C:\WINDOWS\ModemLog_Aiji CDMA USB Modem.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2005-01-10 449888]
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-12-02 70912]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-02-04 193216]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2010-04-14 28880]
S1 aswSP;aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [2010-04-14 162768]
S1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2010-04-14 46672]
S1 Hotkey;Hotkey; C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 9867]
S1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
S1 lda4d03;lda4d03; C:\WINDOWS\System32\drivers\lda4d03.sys []
S1 mailKmd;mailKmd; C:\WINDOWS\system32\drivers\mailKmd.sys []
S1 Wbutton;Wbutton; C:\WINDOWS\system32\drivers\Wbutton.sys []
S2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\drivers\aswFsBlk.sys [2010-04-14 19024]
S2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2010-04-14 100432]
S2 EpmPsd;Acer EPM Power Scheme Driver; \??\C:\WINDOWS\system32\drivers\epm-psd.sys []
S2 EpmShd;Acer EPM System Hardware Driver; \??\C:\WINDOWS\system32\drivers\epm-shd.sys []
S2 int15.sys;int15.sys; \??\C:\Program Files\Acer\eRecovery\int15.sys []
S2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
S2 osaio;osaio; \??\C:\WINDOWS\system32\drivers\osaio.sys []
S2 osanbm;osanbm; \??\C:\WINDOWS\system32\drivers\osanbm.sys []
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-19 2317504]
S3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2010-04-14 23376]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPFXBULK;HPFXBULK; C:\WINDOWS\system32\drivers\hpfxbulk.sys [2005-09-20 9344]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-10-28 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-10-28 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-10-28 21568]
S3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
S3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-12-15 207232]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2008-12-30 101120]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-01-23 804317]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2008-04-13 28672]
S3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys [2009-11-20 6144]
S3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
S3 POWERKEY;POWERKEY; \??\C:\Program Files\Launch Manager\POWERKEY.sys []
S3 qcusbser;Aiji System USB Device for Legacy Serial Communication; C:\WINDOWS\system32\DRIVERS\qcusbser.sys [2005-12-16 87040]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 anbmService;Notebook Manager Service; C:\Acer\eManager\anbmServ.exe [2005-06-06 1273344]
S2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-07-25 100032]
S2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-04-14 40384]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 268288]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2005-10-22 69632]
S2 SystemsMon;Systems Mon; C:\WINDOWS\system32\drivers\system.exe [2010-04-15 140800]
S2 VMCService;Vodafone Mobile Connect Service; C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-11-04 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-04-14 40384]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-04-14 40384]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-07-25 2119360]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

[motji]

Nejen security tool, řekla bych, že tam je toho víc . Kdepak jste k tomu přišel?
Zatím zůstaňte v nouzovém režimu, ještě nás čeká dost práce

Otestujte na http://www.virustotal.com
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\opedehipenoxok.dll
-Na virustotalu dáte procházet, a do spodního okénka nakopírujete přímo cestu k souboru a dáte odeslat
-z prohlížeče zkopírujete adresu ke stránce s výsledky
-pokud se Vás zeptá, dejte soubor otestovat znovu, tak aby to byl soubor z Vašeho počítače


:arrow:Stáhněte OTM http://oldtimer.geekstogo.com/OTM.exe
Stáhněte na plochu Otm, 2krát klikněte na Otm,spustí se program,
Do levého okna "Paste Instructions for Items to be Moved" pod žlutou čáru zkopírujete skript

Kód: Vybrat vše

:processes
explorer.exe
 
:files
C:\WINDOWS\system32\*.tmp.dll /s
C:\WINDOWS\system32\SET*.tmp /s
C:\WINDOWS\*.tmp /s
C:\WINDOWS\system32\regedit.exe
c:\windows\system32\wuaucldt.exe
C:\DOCUME~1\ALLUSE~1\DATAAP~1\72836733
C:\Documents and Settings\UZIVATEL\reader_s.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\DOCUME~1\UZIVATEL\LOCALS~1\Temp\32kj.exe
C:\WINDOWS\gsautgixlwdlmhb2uj8cxvz0.ini
C:\WINDOWS\system32\sdra64.exe

:reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Regedit32"=-
"reader_s"=-
"syncman"=-
"72836733"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"6thm"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"reader_s"=-
"SVCHOST.EXE"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset5c]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] 
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit"="C:\WINDOWS\system32\userinit.exe,

:commands
[resethosts]
[emptytemp]
[EMPTYFLASH]
[Reboot]

-klikněte na červené tlačítko Moveit!
-sem vložte obsah zeleného okénka
-Pokud se bude chtít restartovat pc, dejte YES,log pak najdete C:\_OTM\MovedFiles. Log vložte sem


Z mého podpisu stahněte Ccleaner
- nainstalujte, při výběru, co se má nainstalovat, dejte pryč fajfku u instalace yahoo toolbaru

záložka čistič
-nechejte v levém sloupečku zatrhnuté vše jak je, klikněte na analyzovat
-po analýze klikněte na Spustit Ccleaner

záložka Registry
- klikněte na hledej problémy
- pak klikněte na opravit vybrané problémy -- udělat zálohu registrů - nemusíte
- kliknete opravit všechny problémy ok zavřít

Záložka Nástroje
- zde můžete odinstalovat programy. Je to důkladnější odinstalace než u přidat/odebrat programy ve Windows.

Ccleaner - čistič doporučuji používat, krásně pročistí pc od dočasných souborů.
Registry pročistí třeba po odinstalaci nějakého programu.

[cabinho]

Sám nevím. Nejsem první majitel nb

Tady jsou odkazy k výsledkům:
http://www.virustotal.com/cs/analisis/c ... 1271747329

http://www.virustotal.com/cs/analisis/c ... 1271747577

[cabinho]

Tohle je z OTM

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
File/Folder C:\WINDOWS\system32\*.tmp.dll not found.
File/Folder C:\WINDOWS\system32\SET*.tmp not found.
C:\WINDOWS\002719_.tmp moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E7.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC6.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAED.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB24.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP226.tmp folder moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\0efb45fe14af60fce7fe141ae9ac7cc6\download\BIT3B.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\3a4fa5ca80783b1912fee853479c93c4\BITAA.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\508483484f3a183df6329500a0689df5\BITA6.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\872cdbc2aa908a12ab47c2f32baffa55\BIT1E.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\87b41ebb1dfcdf66fa4bbb3741831b21\BIT9F.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\a79ed409f1e327c589b9075eb5cbef44\BITAC.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\e1d56846412df84708a3244922d10045\BITAB.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\fbd50ac2b4eda85167bce981db7f8fdd\BIT11.tmp moved successfully.
C:\WINDOWS\system32\CONFIG.TMP moved successfully.
C:\WINDOWS\system32\Macromed\Flash\~SS1.tmp moved successfully.
C:\WINDOWS\Temp\tmp6172.tmp moved successfully.
C:\WINDOWS\Temp\1.tmp moved successfully.
C:\WINDOWS\Temp\~DFA152.tmp moved successfully.
C:\WINDOWS\Temp\tmp322D.tmp moved successfully.
C:\WINDOWS\Temp\tmp18F3.tmp moved successfully.
C:\WINDOWS\Temp\tmp1E62.tmp moved successfully.
C:\WINDOWS\twain_32\hpqgends.tmp moved successfully.
C:\WINDOWS\twain_32\hpqgnds2.tmp moved successfully.
C:\WINDOWS\system32\regedit.exe moved successfully.
File/Folder c:\windows\system32\wuaucldt.exe not found.
C:\DOCUME~1\ALLUSE~1\DATAAP~1\72836733 folder moved successfully.
C:\Documents and Settings\UZIVATEL\reader_s.exe moved successfully.
File/Folder C:\WINDOWS\system32\drivers\svchost.exe not found.
C:\DOCUME~1\UZIVATEL\LOCALS~1\Temp\32kj.exe moved successfully.
C:\WINDOWS\gsautgixlwdlmhb2uj8cxvz0.ini moved successfully.
File move failed. C:\WINDOWS\system32\sdra64.exe scheduled to be moved on reboot.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Regedit32 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\syncman deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\72836733 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\6thm deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\SVCHOST.EXE deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset5c\ deleted successfully.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\"Shell"|"explorer.exe" /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\"UserInit"|"C:\WINDOWS\system32\userinit.exe, /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 336482 bytes
->Temporary Internet Files folder emptied: 36050 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 35916 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: UZIVATEL
->Temp folder emptied: 430562960 bytes
->Temporary Internet Files folder emptied: 83004318 bytes
->FireFox cache emptied: 80625440 bytes
->Flash cache emptied: 891 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21010820 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23910220 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 407442 bytes
RecycleBin emptied: 45943691 bytes

Total Files Cleaned = 654,00 mb


OTM by OldTimer - Version 3.1.10.2 log created on 04202010_091709

[motji]

Combofix stahněte takto:
- pravým myšítkem klikněte na odkaz combofixu --uložit jako.. ,a teď ho přejmenujte na Potvora.com a uložte.


Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe

-souhlaste s instalací konzole pro zotavení

- ComboFix je třeba spustit pod účtem s právy administrátora

- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary

- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano

- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna

- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah sem

[cabinho]

ComboFix 10-04-19.04 - UZIVATEL 20.04.2010 9:43.1.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.502.292 [GMT 2:00]
Spuštěný z: c:\documents and settings\UZIVATEL\Plocha\Potvora.com.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\NetworkService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\UZIVATEL\Plocha\Security Tool.lnk
c:\windows\inf\vvt.pnf
c:\windows\system32\drivers\system.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\msxslt.dat
c:\windows\system32\reader_s.exe
c:\windows\system32\sdra64.exe

c:\windows\system32\drivers\cdrom.sys chyběl.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\cdrom.sys

Nakažená kopie c:\windows\system32\drivers\ndis.sys byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSTEMSMON
-------\Service_SystemsMon


((((((((((((((((((((((((( Soubory vytvořené od 2010-03-20 do 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-20 07:48 . 2008-04-13 17:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-20 07:48 . 2008-04-13 17:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-20 07:45 . 2010-04-20 07:45 -------- d-----w- c:\windows\LastGood
2010-04-20 07:22 . 2010-04-20 07:22 -------- d-----w- c:\program files\CCleaner
2010-04-20 07:17 . 2010-04-20 07:17 -------- d-----w- C:\_OTM
2010-04-20 06:40 . 2010-04-20 06:40 -------- d-----w- C:\rsit
2010-04-20 06:40 . 2010-04-20 06:40 -------- d-----w- c:\program files\trend micro
2010-04-19 12:30 . 2010-04-19 12:30 -------- d-----w- C:\FOUND.000
2010-04-16 07:31 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-16 07:31 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-15 07:48 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-15 07:48 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-15 07:48 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-15 07:48 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-15 07:48 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-15 07:47 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-15 07:47 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-15 07:47 . 2010-04-15 07:47 -------- d-----w- c:\program files\Alwil Software
2010-04-14 12:08 . 2010-04-14 12:08 -------- d-----w- c:\program files\Vodafone
2010-04-13 17:26 . 2010-04-13 17:26 1183 ----a-w- c:\windows\opedehipenoxok.dll
2010-04-11 19:37 . 2007-05-21 18:00 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP94.DLL
2010-04-11 19:37 . 2007-05-21 18:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD94.DLL
2010-04-11 19:37 . 2007-05-21 18:00 215040 ----a-w- c:\windows\system32\CNMLM94.DLL
2010-04-11 19:36 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-04-11 19:36 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-04-11 19:35 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-04-11 19:35 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-04-11 09:14 . 2010-04-11 09:14 -------- d-----w- c:\windows\system32\XPSViewer
2010-04-11 09:14 . 2010-04-11 09:14 -------- d-----w- c:\program files\MSBuild
2010-04-11 09:14 . 2010-04-11 09:14 -------- d-----w- c:\program files\Reference Assemblies
2010-04-11 09:13 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-04-11 09:13 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-04-11 09:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-04-11 09:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-04-11 09:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-04-11 09:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-04-11 09:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-04-11 09:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-04-11 09:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-04-07 13:09 . 2010-04-07 13:08 737280 ----a-w- c:\windows\iun6002.exe
2010-04-07 13:09 . 2010-04-07 13:09 -------- d-----w- c:\program files\Codec Pack - All In 1
2010-04-07 13:09 . 2010-04-07 13:09 -------- d-----w- c:\windows\system32\languages
2010-04-07 13:05 . 2010-04-07 13:05 -------- d-----w- c:\program files\VideoLAN
2010-04-07 07:12 . 2008-12-30 17:13 101120 ----a-r- c:\windows\system32\drivers\ewusbmdm.sys
2010-04-03 17:01 . 2010-04-03 17:01 -------- d-----w- c:\program files\Opera
2010-04-02 09:35 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 18:28 . 2004-10-15 07:36 179584 ----a-w- c:\windows\system32\drivers\dac2w2k.sys
2010-04-12 06:07 . 1979-12-31 22:00 84776 ----a-w- c:\windows\system32\perfc005.dat
2010-04-12 06:07 . 1979-12-31 22:00 442644 ----a-w- c:\windows\system32\perfh005.dat
2010-04-06 14:11 . 2005-07-19 08:34 228 ----a-w- c:\windows\FlashSaver.dat
2010-03-01 08:01 . 2010-03-01 08:01 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-26 05:44 . 1979-12-31 22:00 668160 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 1979-12-31 22:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-22 13:35 . 2010-02-22 13:35 -------- d-----w- c:\program files\Ufon
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-06-01 192512]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-03-15 2893824]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-18 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-18 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-18 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-18 455168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-14 32768]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-06-06 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-07-25 81920]
"eRecoveryService"="c:\program files\Acer\eRecovery\Monitor.exe" [2005-06-29 352256]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-10-06 53248]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-11-04 2087424]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"%windir%\\system32\\lsass.exe"=

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [16.4.2010 9:31 162768]
S1 lda4d03;lda4d03;c:\windows\system32\drivers\lda4d03.sys --> c:\windows\system32\drivers\lda4d03.sys [?]
S1 mailKmd;mailKmd; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [16.4.2010 9:31 19024]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [4.11.2008 11:39 14336]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [20.11.2009 12:37 2343]
S3 qcusbser;Aiji System USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbser.sys [22.2.2010 15:26 87040]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {3BD6442F-65F0-409C-BE7D-73A451A7E303} = 192.168.111.1,212.71.131.6
FF - ProfilePath - c:\documents and settings\UZIVATEL\Data aplikací\Mozilla\Firefox\Profiles\b49wf01c.default\
FF - prefs.js: browser.startup.homepage - hxxp://seznam.cz/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

SSODL-LGootkitSSO-{5515E563-CDB1-49B1-A53C-89A9B7509B95} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 09:52
Windows 5.1.2600 Service Pack 3 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
Celkový čas: 2010-04-20 09:54:04 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-20 07:54

Před spuštěním: Volných bajtů: 16 602 267 648
Po spuštění: Volných bajtů: 16 978 444 288

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 80151CA770D127C947533944FF97E18E

[motji]

Jak to vypadá s počítačem ted?
Já si pro jistotu něco ověřím, měl jste ho parádně zavirovaný



odinstalujte všechny virtuální jednotky (Daemon nebo alcohol)

Stáhněte SPTD http://www.duplexsecure.com/en/downloads
-vyberte verzi podle svého operačního systému. SPTD for Windows (32 bit) nebo (64b)
-uložte na plochu a spusťte
- zvolte možnost Uninstall
- restart PC
- spusťte gmer


Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, kliknete na Save a tím si uložíte log,který sem vložíte

-Podle návodu v odkazu proveďte druhý sken a log sem také vložte.

stáhněte MBR
http://www2.gmer.net/mbr/mbr.exe
-uložte ho na plochu


start-spustit
do okénka zkopírujte

Kód: Vybrat vše

"%userprofile%\plocha\mbr" -t

ok

vytvoří se log s názvem mbr.log, vložte ho zde [/quote]

Stahněte MBAM z mého podpisu
-Nainstalujte,dejte úplný sken

NIC NEMAZAT
-MBAM má občas falešné detekce,proto budeme mazat až po kontrole logu.
-Log zkopírujte sem.

[cabinho]

Tak tady je první log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-20 12:48:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\UZIVATEL\LOCALS~1\Temp\ugldapow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAAD4F50A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAAD4F32E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAAD4F468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

[cabinho]

Tady je druhý log z gmeru:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 12:54:27
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\UZIVATEL\LOCALS~1\Temp\ugldapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAAD42C08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAAD42AC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xAAD43078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAAD42FA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAAD4269A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAAD42B9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAAD425DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAAD4263E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAAD42CBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xAAD43146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAAD42C7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAAD42DFE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAAD4F50A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAAD4F32E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAAD4F468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 80579608 7 Bytes JMP AAD4F46C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A076A 7 Bytes JMP AAD4F332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CEE 5 Bytes JMP AAD4B4AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8B66 5 Bytes JMP AAD4C97E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F8 7 Bytes JMP AAD4F50E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[652] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00580002
IAT C:\WINDOWS\system32\services.exe[652] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00580000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk lda4d03
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

[cabinho]

Log z mbr:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

[motji]

Gmer je ok

[cabinho]

No a nakonec MBAM:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Verze databáze: 4011

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

20.4.2010 13:21:25
mbam-log-2010-04-20 (13-21-25).txt

Typ skenu: Úplný sken (C:\|D:\|)
Skenované objekty: 148005
Uplynulý čas: 21 minuta(y), 44 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 6
Infikované hodnoty registru: 1
Infikované datové položky registru: 0
Infikované složky: 0
Infikované soubory: 5

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.

Infikované hodnoty registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lgootkitsso (Trojan.GootKit) -> No action taken.

Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
C:\System Volume Information\_restore{F1A17B0A-663B-44F0-B7FF-6EE3138D3826}\RP56\A0028993.EXE (Trojan.Agent) -> No action taken.
C:\_OTM\MovedFiles\04202010_091709\C_WINDOWS\Temp\tmp6172.tmp (Trojan.ZBOT) -> No action taken.
C:\_OTM\MovedFiles\04202010_091709\C_WINDOWS\Temp\tmp1E62.tmp (Trojan.Agent) -> No action taken.
C:\_OTM\MovedFiles\04202010_091709\C_DOCUME~1\ALLUSE~1\DATAAP~1\72836733\72836733.exe (Rogue.Installer) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\system.exe.vir (Trojan.Agent) -> No action taken.

[motji]

Co našel mbam, smažte

Odinstalujte combofix přes Start - Spustit
- zkopírujte do okénka:

ComboFix /Uninstall

-stiskněte Enter
-To odinstaluje ComboFix a smaže s ním související soubory a složky.


***********


Stáhněte T-Cleaner
http://sweb.cz/Marinus/T-Cleaner.exe

-Spusťte,pro potvrzení volby mačkejte klávesu A, Enter
-po použití prográmek vymažte.Pozor,antiviry ho mohou falešně označit za vir



***********


Z mého podpisu stahněte Ccleaner
- nainstalujte, při výběru, co se má nainstalovat, dejte pryč fajfku u instalace yahoo toolbaru

záložka čistič
- nechejte v levém sloupečku zatrhnuté vše jak je, klikněte na analyzovat
- po analýze klikněte na Spustit Ccleaner

záložka Registry
- klikněte na hledej problémy
- pak klikněte na opravit vybrané problémy -- udělat zálohu registrů - nemusíte
- kliknete opravit všechny problémy ok zavřít

Záložka Nástroje
- zde můžete odinstalovat programy. Je to důkladnější odinstalace než u přidat/odebrat programy ve Windows.

Ccleaner - čistič doporučuji používat, krásně pročistí pc od dočasných souborů.
Registry pročistí třeba po odinstalaci nějakého programu.


***********



Stahněte OTC a použijte
http://oldtimer.geekstogo.com/OTC.exe
-vyčistí tempy a po použitých programech



***********

Vložte nový log ze RSIT a řekněte co počítač, jak se chová, už je vše v pořádku?

--------------------------------
--------------------------------

Můžete ještě udělat:

vyčistění disku
start-spustit - napište cleanmgr - ok..ok
-dát fajfku temporary ,,,offline,,koš,,,dočasné soubory - ok,


start-spustit - napište cleanmgr - ok..ok
-další možnosti - obnovení systému - vyčistit - ok

start-spustit - napište chkdsk /f/r
-[enter]
souhlas - restartuje se pc a nechá se disk zkontrolovat

defragmentace disku
- start - ovládací panely - nástroje pro správu - správa počítače - defragmentace disku

-- můžete použít i jiný nástroj na defragmentaci, ten ve windows není nic moc

Za sebe můžu doporučit JK defrag, který se neinstaluje
http://www.stahuj.centrum.cz/utility_a_ ... g[oz]=3.36