VIRY.CZ

Prosím o kontrolu logu. Avast mi stále hlásí vir WIN32 MALWARE LOG. Děkuji

ComboFix 10-05-22.01 - Rumik 22.05.2010 19:36:42.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.767.323 [GMT 2:00]
Spuštěný z: c:\documents and settings\Rumik\Dokumenty\Stažené soubory\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dokumenty\Settings
c:\documents and settings\All Users\Dokumenty\Settings\cbss.dll
c:\documents and settings\Rumik\autorun.inf
c:\documents and settings\Rumik\ctfmon.exe
c:\documents and settings\Rumik\jvh.exe
c:\documents and settings\Rumik\secupdat.dat
c:\windows\system32\1xy1oe1.exe
c:\windows\system32\703i1ef.exe
c:\windows\system32\86qbbrs.exe
c:\windows\system32\aavmmhyy.exe
c:\windows\system32\bg81s3ezf3.exe
c:\windows\system32\Desktop_.ini
c:\windows\system32\do86qbbrs.exe
c:\windows\system32\drivers\str.sys
c:\windows\system32\g2hid081k97.exe
c:\windows\system32\hm86y81kvw.exe
c:\windows\system32\j66a86m8.exe
c:\windows\system32\llhxxtjjfvv.exe
c:\windows\system32\pk6g3c1yze.exe
c:\windows\system32\rhidtupql0.exe
c:\windows\system32\secupdat.dat
c:\windows\system32\t5jfaq1h.exe
c:\windows\system32\vlmhxytz2f.exe

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF


((((((((((((((((((((((((( Soubory vytvořené od 2010-04-22 do 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-22 10:18 . 2010-05-22 10:18 -------- d-----w- c:\program files\FileHippo.com
2010-05-22 10:03 . 2010-05-22 10:03 -------- d-----w- c:\program files\CCleaner
2010-05-21 22:40 . 2010-05-21 22:40 -------- d-----w- C:\temp
2010-05-21 22:29 . 2010-05-21 22:29 -------- d-----w- c:\documents and settings\Rumik\WINDOWS
2010-05-14 15:50 . 2010-05-14 15:50 12192 ----a-w- c:\windows\system32\drivers\UIUSyso.sys
2010-05-14 15:28 . 2010-05-14 15:28 12192 ----a-w- c:\windows\system32\drivers\UIUSyst.sys
2010-04-30 11:32 . 2010-04-30 11:32 -------- d-----w- c:\windows\Sun
2010-04-30 11:30 . 2010-04-30 11:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-30 11:30 . 2010-04-30 11:30 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 09:10 . 2001-10-25 14:00 78084 ----a-w- c:\windows\system32\perfc005.dat
2010-05-22 09:10 . 2001-10-25 14:00 427848 ----a-w- c:\windows\system32\perfh005.dat
2010-05-15 20:42 . 2004-08-17 15:49 14336 ----a-w- c:\windows\system32\svchost.exe
2010-05-07 22:39 . 2010-03-07 13:34 -------- d-----w- c:\program files\PokerStars
2010-04-02 14:53 . 2010-02-27 19:40 -------- d-----w- c:\program files\QIP Infium
2010-04-02 14:52 . 2009-11-22 22:17 -------- d-----w- c:\program files\Opera
2010-03-30 20:23 . 2009-10-08 16:32 -------- d-----w- c:\program files\Alwil Software
2010-03-09 10:24 . 2009-10-08 16:33 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 10:24 . 2009-10-08 16:32 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 10:12 . 2009-10-08 16:33 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 10:12 . 2009-10-08 16:33 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 10:09 . 2009-10-08 16:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 10:08 . 2009-10-08 16:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 10:08 . 2009-10-08 16:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 10:08 . 2009-10-08 16:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 10:08 . 2009-10-08 16:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-26 05:49 . 2010-02-26 05:49 176700 ----a-w- C:\qip-2005-cestina.exe
2010-02-26 05:48 . 2010-02-26 05:48 2405485 ----a-w- C:\qip8095.exe
2010-02-23 12:57 . 2010-02-23 12:58 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
2008-04-14 06:51 . 2004-08-17 15:49 161513 --sha-r- c:\windows\system32\onubm.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-04-13 . 99BD46C2C790E52363DD1021DDCA3E8F . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]
"Sony Ericsson PC Suite"="d:\aplikace\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-04-01 405504]
"Infium"="c:\qip infium jadrispack\infium.exe" [2010-02-18 5711312]
"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2010-04-29 248832]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-23 8433664]
"nwiz"="nwiz.exe" [2007-07-23 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-23 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TO2SSM_McciTrayApp"="c:\program files\TO2SSM\McciTrayApp.exe" [2008-08-15 1473536]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-2 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2010-1-14 22486]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7418:TCP"= 7418:TCP:jeekz

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8.10.2009 18:33 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8.10.2009 18:33 19024]
R2 UIUSyso;UIUSyso;c:\windows\system32\drivers\UIUSyso.sys [14.5.2010 17:50 12192]
R2 UIUSyst;UIUSyst;c:\windows\system32\drivers\UIUSyst.sys [14.5.2010 17:28 12192]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [23.2.2010 14:58 27632]
S2 avjgim;gpsxx;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 17:49 14336]
S2 szhfxhmk;Config Security;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 17:49 14336]
S3 aeiooprz;aeiooprz;\??\c:\windows\System32\Drivers\aeiooprz.sys --> c:\windows\System32\Drivers\aeiooprz.sys [?]
S3 ajcmuxwd;ajcmuxwd;\??\c:\windows\System32\Drivers\ajcmuxwd.sys --> c:\windows\System32\Drivers\ajcmuxwd.sys [?]
S3 hcrdltvi;hcrdltvi;\??\c:\windows\System32\Drivers\hcrdltvi.sys --> c:\windows\System32\Drivers\hcrdltvi.sys [?]
S3 ismwbywr;ismwbywr;\??\c:\windows\System32\Drivers\ismwbywr.sys --> c:\windows\System32\Drivers\ismwbywr.sys [?]
S3 umaymbda;umaymbda;\??\c:\windows\System32\Drivers\umaymbda.sys --> c:\windows\System32\Drivers\umaymbda.sys [?]
S3 uuoycfox;uuoycfox;\??\c:\windows\System32\Drivers\uuoycfox.sys --> c:\windows\System32\Drivers\uuoycfox.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
szhfxhmk
avjgim
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://home.sweetim.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.army.cz:8080
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rumik\Data aplikací\Mozilla\Firefox\Profiles\e8zow1tt.default\
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

URLSearchHooks-{EEE6C35D-6118-11DC-9C72-001320C79847} - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKCU-Run-iyyoe0 - c:\windows\system32\hm86y81kvw.exe
HKCU-Run-pavqrw8 - c:\windows\system32\j66a86m8.exe
HKCU-Run-hxytj - c:\windows\system32\g2hid081k97.exe
HKCU-Run-cydozav - c:\windows\system32\rhidtupql0.exe
HKCU-Run-qmh03 - c:\windows\system32\t5jfaq1h.exe
HKCU-Run-hxydzz - c:\windows\system32\1xy1oe1.exe
HKCU-Run-kkfwwri - c:\windows\system32\aavmmhyy.exe
HKCU-Run-sooja - c:\windows\system32\llhxxtjjfvv.exe
HKCU-Run-vmhcs1 - c:\windows\system32\pk6g3c1yze.exe
HKCU-Run-rbmxo1e - c:\windows\system32\703i1ef.exe
HKCU-Run-yefaq1m - c:\windows\system32\86qbbrs.exe
HKCU-Run-zavgrn - c:\windows\system32\bg81s3ezf3.exe
HKCU-Run-kpalmh - c:\windows\system32\do86qbbrs.exe
HKCU-Run-otpffb - c:\windows\system32\vlmhxytz2f.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 19:47
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\avjgim]
"ServiceDll"="c:\windows\system32\onubm.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\szhfxhmk]
"ServiceDll"="c:\windows\system32\onubm.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3320)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\documents and settings\All Users\Data aplikací\U3\U3Launcher\LaunchU3.exe
c:\docume~1\Rumik\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Celkový čas: 2010-05-22 19:51:21 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-05-22 17:51

Před spuštěním: Volných bajtů: 11 079 892 992
Po spuštění: Volných bajtů: 10 954 625 024

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 489BC25DB8B283A99179904078923DB4

zdravím
na Vašem logu se pracuje

díky

pokud jste tak ještě neučinil, přesuňte Combofix na plochu

otevřete si Poznámkový blok

do něj zkopírujte skript z následujícího okna:
uložte vámi vytvořený textový soubor jako CFScript.txt na plochu

po uložení uchopte vámi vytvořený skript levým tlačítkem myši a přesuňte jej nad ikonu Combofixu, nad níž skript upusťte:



po aplikaci by se měl zobrazit další log, vložte jej sem

Upozornění: je možné, že po aplikaci skriptu a restartu nenaběhnou Windows, v takovém případě znovu restartujte, po restartu mačkejte F8 a zvolte Poslední známou fuknční konfiguraci

Myslim že už by to mělo být dobrý protože mi ho to přestalo hlásit....tady je ten log:


ComboFix 10-05-22.01 - Rumik 22.05.2010 21:11:39.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.767.334 [GMT 2:00]
Spuštěný z: c:\documents and settings\Rumik\Dokumenty\Stažené soubory\grinder.com.exe
Použité ovládací přepínače :: c:\documents and settings\Rumik\Plocha\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\System32\Drivers\aeiooprz.sys"
"c:\windows\System32\Drivers\ajcmuxwd.sys"
"c:\windows\System32\Drivers\hcrdltvi.sys"
"c:\windows\System32\Drivers\ismwbywr.sys"
"c:\windows\System32\Drivers\umaymbda.sys"
"c:\windows\System32\Drivers\uuoycfox.sys"
"c:\windows\system32\onubm.dll"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\onubm.dll

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_aeiooprz
-------\Service_ajcmuxwd
-------\Service_hcrdltvi
-------\Service_ismwbywr
-------\Service_umaymbda
-------\Service_uuoycfox
-------\Legacy_avjgim
-------\Legacy_szhfxhmk
-------\Service_avjgim
-------\Service_szhfxhmk


((((((((((((((((((((((((( Soubory vytvořené od 2010-04-22 do 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-22 10:18 . 2010-05-22 10:18 -------- d-----w- c:\program files\FileHippo.com
2010-05-22 10:03 . 2010-05-22 10:03 -------- d-----w- c:\program files\CCleaner
2010-05-21 22:40 . 2010-05-21 22:40 -------- d-----w- C:\temp
2010-05-21 22:29 . 2010-05-21 22:29 -------- d-----w- c:\documents and settings\Rumik\WINDOWS
2010-05-14 15:50 . 2010-05-14 15:50 12192 ----a-w- c:\windows\system32\drivers\UIUSyso.sys
2010-05-14 15:28 . 2010-05-14 15:28 12192 ----a-w- c:\windows\system32\drivers\UIUSyst.sys
2010-04-30 11:32 . 2010-04-30 11:32 -------- d-----w- c:\windows\Sun
2010-04-30 11:30 . 2010-04-30 11:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-30 11:30 . 2010-04-30 11:30 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 09:10 . 2001-10-25 14:00 78084 ----a-w- c:\windows\system32\perfc005.dat
2010-05-22 09:10 . 2001-10-25 14:00 427848 ----a-w- c:\windows\system32\perfh005.dat
2010-05-15 20:42 . 2004-08-17 15:49 14336 ----a-w- c:\windows\system32\svchost.exe
2010-05-07 22:39 . 2010-03-07 13:34 -------- d-----w- c:\program files\PokerStars
2010-04-02 14:53 . 2010-02-27 19:40 -------- d-----w- c:\program files\QIP Infium
2010-04-02 14:52 . 2009-11-22 22:17 -------- d-----w- c:\program files\Opera
2010-03-30 20:23 . 2009-10-08 16:32 -------- d-----w- c:\program files\Alwil Software
2010-03-09 10:24 . 2009-10-08 16:33 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 10:24 . 2009-10-08 16:32 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 10:12 . 2009-10-08 16:33 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 10:12 . 2009-10-08 16:33 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 10:09 . 2009-10-08 16:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 10:08 . 2009-10-08 16:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 10:08 . 2009-10-08 16:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 10:08 . 2009-10-08 16:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 10:08 . 2009-10-08 16:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-26 05:49 . 2010-02-26 05:49 176700 ----a-w- C:\qip-2005-cestina.exe
2010-02-26 05:48 . 2010-02-26 05:48 2405485 ----a-w- C:\qip8095.exe
2010-02-23 12:57 . 2010-02-23 12:58 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-04-13 . 99BD46C2C790E52363DD1021DDCA3E8F . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]
"Sony Ericsson PC Suite"="d:\aplikace\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-04-01 405504]
"Infium"="c:\qip infium jadrispack\infium.exe" [2010-02-18 5711312]
"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2010-04-29 248832]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-23 8433664]
"nwiz"="nwiz.exe" [2007-07-23 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-23 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TO2SSM_McciTrayApp"="c:\program files\TO2SSM\McciTrayApp.exe" [2008-08-15 1473536]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-2 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2010-1-14 22486]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8.10.2009 18:33 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8.10.2009 18:33 19024]
R2 UIUSyso;UIUSyso;c:\windows\system32\drivers\UIUSyso.sys [14.5.2010 17:50 12192]
R2 UIUSyst;UIUSyst;c:\windows\system32\drivers\UIUSyst.sys [14.5.2010 17:28 12192]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [23.2.2010 14:58 27632]
S2 avjgim;gpsxx;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 17:49 14336]
S2 szhfxhmk;Config Security;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 17:49 14336]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://home.sweetim.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.army.cz:8080
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rumik\Data aplikací\Mozilla\Firefox\Profiles\e8zow1tt.default\
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 21:27
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\avjgim]
"ServiceDll"="c:\windows\system32\onubm.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\szhfxhmk]
"ServiceDll"="c:\windows\system32\onubm.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3680)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\documents and settings\All Users\Data aplikací\U3\U3Launcher\LaunchU3.exe
c:\docume~1\Rumik\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Celkový čas: 2010-05-22 21:31:06 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-05-22 19:31
ComboFix2.txt 2010-05-22 17:51

Před spuštěním: Volných bajtů: 10 950 971 392
Po spuštění: Volných bajtů: 10 912 395 264

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 845A6C1AE5EC73E476B92280FF7E0FA2

ještě uděláme jeden skript

otevřete si Poznámkový blok
do něj zkopírujte skript z následujícího okna: uložte vámi vytvořený textový soubor jako CFScript.txt na plochu

po uložení uchopte vámi vytvořený skript levým tlačítkem myši a přesuňte jej nad ikonu Combofixu, nad níž skript upusťte:



po aplikaci by se měl zobrazit další log, vložte jej sem

Upozornění: je možné, že po aplikaci skriptu a restartu nenaběhnou Windows, v takovém případě znovu restartujte, po restartu mačkejte F8 a zvolte Poslední známou fuknční konfiguraci

tak snad naposled



ComboFix 10-05-22.01 - Rumik 22.05.2010 23:26:59.3.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.767.392 [GMT 2:00]
Spuštěný z: c:\documents and settings\Rumik\Dokumenty\Stažené soubory\grinder.com.exe
Použité ovládací přepínače :: c:\documents and settings\Rumik\Plocha\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\onubm.dll"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_avjgim
-------\Service_szhfxhmk


((((((((((((((((((((((((( Soubory vytvořené od 2010-04-22 do 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-22 10:18 . 2010-05-22 10:18 -------- d-----w- c:\program files\FileHippo.com
2010-05-22 10:03 . 2010-05-22 10:03 -------- d-----w- c:\program files\CCleaner
2010-05-21 22:40 . 2010-05-21 22:40 -------- d-----w- C:\temp
2010-05-21 22:29 . 2010-05-21 22:29 -------- d-----w- c:\documents and settings\Rumik\WINDOWS
2010-05-14 15:50 . 2010-05-14 15:50 12192 ----a-w- c:\windows\system32\drivers\UIUSyso.sys
2010-05-14 15:28 . 2010-05-14 15:28 12192 ----a-w- c:\windows\system32\drivers\UIUSyst.sys
2010-04-30 11:32 . 2010-04-30 11:32 -------- d-----w- c:\windows\Sun
2010-04-30 11:30 . 2010-04-30 11:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-30 11:30 . 2010-04-30 11:30 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 09:10 . 2001-10-25 14:00 78084 ----a-w- c:\windows\system32\perfc005.dat
2010-05-22 09:10 . 2001-10-25 14:00 427848 ----a-w- c:\windows\system32\perfh005.dat
2010-05-15 20:42 . 2004-08-17 15:49 14336 ----a-w- c:\windows\system32\svchost.exe
2010-05-07 22:39 . 2010-03-07 13:34 -------- d-----w- c:\program files\PokerStars
2010-04-02 14:53 . 2010-02-27 19:40 -------- d-----w- c:\program files\QIP Infium
2010-04-02 14:52 . 2009-11-22 22:17 -------- d-----w- c:\program files\Opera
2010-03-30 20:23 . 2009-10-08 16:32 -------- d-----w- c:\program files\Alwil Software
2010-03-09 10:24 . 2009-10-08 16:33 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 10:24 . 2009-10-08 16:32 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 10:12 . 2009-10-08 16:33 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 10:12 . 2009-10-08 16:33 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 10:09 . 2009-10-08 16:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 10:08 . 2009-10-08 16:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 10:08 . 2009-10-08 16:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 10:08 . 2009-10-08 16:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 10:08 . 2009-10-08 16:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-26 05:49 . 2010-02-26 05:49 176700 ----a-w- C:\qip-2005-cestina.exe
2010-02-26 05:48 . 2010-02-26 05:48 2405485 ----a-w- C:\qip8095.exe
2010-02-23 12:57 . 2010-02-23 12:58 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-04-13 . 99BD46C2C790E52363DD1021DDCA3E8F . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-05-22_19.27.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-22 21:33 . 2010-05-22 21:33 16384 c:\windows\Temp\Perflib_Perfdata_1d8.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]
"Sony Ericsson PC Suite"="d:\aplikace\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-04-01 405504]
"Infium"="c:\qip infium jadrispack\infium.exe" [2010-02-18 5711312]
"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2010-04-29 248832]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-23 8433664]
"nwiz"="nwiz.exe" [2007-07-23 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-23 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TO2SSM_McciTrayApp"="c:\program files\TO2SSM\McciTrayApp.exe" [2008-08-15 1473536]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-2 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2010-1-14 22486]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8.10.2009 18:33 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8.10.2009 18:33 19024]
R2 UIUSyso;UIUSyso;c:\windows\system32\drivers\UIUSyso.sys [14.5.2010 17:50 12192]
R2 UIUSyst;UIUSyst;c:\windows\system32\drivers\UIUSyst.sys [14.5.2010 17:28 12192]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [23.2.2010 14:58 27632]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://home.sweetim.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.army.cz:8080
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rumik\Data aplikací\Mozilla\Firefox\Profiles\e8zow1tt.default\
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 23:34
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(2436)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\documents and settings\All Users\Data aplikací\U3\U3Launcher\LaunchU3.exe
c:\docume~1\Rumik\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Celkový čas: 2010-05-22 23:38:22 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-05-22 21:38
ComboFix2.txt 2010-05-22 19:31
ComboFix3.txt 2010-05-22 17:51

Před spuštěním: Volných bajtů: 10 882 584 576
Po spuštění: Volných bajtů: 10 842 370 048

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - B7FC9D8EB040CD41C9D8E6C20B0F7CD9

c:\windows\system32\drivers\UIUSyso.sys
c:\windows\system32\drivers\UIUSyst.sys

otestujte na VIRUSTOTALu

jednoduchý návod: po načtení stránky, kliknout na Procházet, najít cestu k výše zmíněnému souboru a kliknout na tlačítko Odeslat soubor; pokud vyskočí hláška, že soubor byl už testován, ignorujte to a proveďte sken znova; po ukončení skenu sem vložte výsledky buď zkopírováním textu nebo vložením odkazu

http://www.virustotal.com/cs/analisis/e ... 1274593250
http://www.virustotal.com/cs/analisis/e ... 1274593402

tak ještě vás poprosím o toto
stáhněte GMER , rozbalte a spusťte

proběhne sken; po jeho ukončení se zobrazí výsledky

potom klikněte na Save a uložíte tak log, jehož obsah sem vložte

pak dle tohoto návodu absolvujte druhý sken a opět obsah logu sem

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-23 11:17:21
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Rumik\LOCALS~1\Temp\uxtdrpod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF3C7B4FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF3C7B322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF3C7B45C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

poprosím ještě o ten druhý log

mi to trochu nešlo.se mi to pořád u toho kousalo. tak sem většinu souborů musel přetahat na extráč. Tak to šlo



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-24 21:18:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Rumik\LOCALS~1\Temp\uxtdrpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF3C6EC56]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF3C6EB12]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF3C6F0C6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF3C6EFF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF3C6E6E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF3C6EBEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF3C6E628]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF3C6E68C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF3C6ED0C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF3C6F194]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF3C6ECCC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF3C6EE4C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF3C7B4FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF3C7B322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF3C7B45C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CE0 8050457C 4 Bytes CALL ED440C67
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF688B380, 0x2F46F7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text D:\aplikace\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3596] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 10034820 D:\aplikace\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text D:\aplikace\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3596] USER32.dll!SetWindowRgn + 2BD 7E37E7E5 7 Bytes JMP 10034790 D:\aplikace\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text D:\aplikace\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3596] USER32.dll!SetClipboardData + 19D 7E38113B 7 Bytes JMP 10034800 D:\aplikace\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[908] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[908] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000
IAT C:\WINDOWS\system32\services.exe[908] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtClose] 7FF90004

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\avjgim@DisplayName gpsxx
Reg HKLM\SYSTEM\ControlSet001\Services\avjgim@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\avjgim@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\avjgim@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\avjgim@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\avjgim@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\avjgim@Description Udr?uje synchronizaci data a ?asu u v?ech klient? a server? v s?ti. Pokud bude tato slu?ba ukon?ena, synchronizace data a ?asu nebude k dispozici. Jestli?e je tato slu?ba zak?z?na, nezda?? se spu?t?n? ??dn?ch slu?eb, kter? na t?to slu?b? z?vis?.
Reg HKLM\SYSTEM\ControlSet001\Services\avjgim\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\avjgim\Parameters@ServiceDll C:\WINDOWS\system32\onubm.dll
Reg HKLM\SYSTEM\ControlSet001\Services\szhfxhmk@DisplayName Config Security
Reg HKLM\SYSTEM\ControlSet001\Services\szhfxhmk@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\szhfxhmk@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\szhfxhmk@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\szhfxhmk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\szhfxhmk@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\szhfxhmk@Description Poskytuje t?i slu?by pro spr?vu: Datab?zovou slu?bu katalogu, kter? potvrzuje podpisy soubor? syst?mu Windows; slu?bu Ochrany ko?enov?ch certifik?t?, kter? p?id?v? a odeb?r? d?v?ryhodn? ko?enov? Certifika?n? ??ady; slu?bu Spr?vy kl???, kter? pom?h? p?ihl?sit po??ta? k odb?ru certifik?t?. Je-li tato slu?ba zastavena, nebudou tyto slu?by spr?vy spr?vn? fungovat. Je-li tato slu?ba zak?z?na, pak se spu?t?n? v?ech slu?eb v?slovn? z?visl?ch na t?to slu?b? nezda??.
Reg HKLM\SYSTEM\ControlSet001\Services\szhfxhmk\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\szhfxhmk\Parameters@ServiceDll C:\WINDOWS\system32\onubm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\avjgim@DisplayName gpsxx
Reg HKLM\SYSTEM\ControlSet002\Services\avjgim@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\avjgim@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\avjgim@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\avjgim@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\avjgim@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\avjgim@Description Udr?uje synchronizaci data a ?asu u v?ech klient? a server? v s?ti. Pokud bude tato slu?ba ukon?ena, synchronizace data a ?asu nebude k dispozici. Jestli?e je tato slu?ba zak?z?na, nezda?? se spu?t?n? ??dn?ch slu?eb, kter? na t?to slu?b? z?vis?.
Reg HKLM\SYSTEM\ControlSet002\Services\avjgim\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\avjgim\Parameters@ServiceDll C:\WINDOWS\system32\onubm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\szhfxhmk@DisplayName Config Security
Reg HKLM\SYSTEM\ControlSet002\Services\szhfxhmk@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\szhfxhmk@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\szhfxhmk@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\szhfxhmk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\szhfxhmk@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\szhfxhmk@Description Poskytuje t?i slu?by pro spr?vu: Datab?zovou slu?bu katalogu, kter? potvrzuje podpisy soubor? syst?mu Windows; slu?bu Ochrany ko?enov?ch certifik?t?, kter? p?id?v? a odeb?r? d?v?ryhodn? ko?enov? Certifika?n? ??ady; slu?bu Spr?vy kl???, kter? pom?h? p?ihl?sit po??ta? k odb?ru certifik?t?. Je-li tato slu?ba zastavena, nebudou tyto slu?by spr?vy spr?vn? fungovat. Je-li tato slu?ba zak?z?na, pak se spu?t?n? v?ech slu?eb v?slovn? z?visl?ch na t?to slu?b? nezda??.
Reg HKLM\SYSTEM\ControlSet002\Services\szhfxhmk\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\szhfxhmk\Parameters@ServiceDll C:\WINDOWS\system32\onubm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\avjgim@DisplayName gpsxx
Reg HKLM\SYSTEM\ControlSet003\Services\avjgim@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\avjgim@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\avjgim@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\avjgim@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\avjgim@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\avjgim@Description Udr?uje synchronizaci data a ?asu u v?ech klient? a server? v s?ti. Pokud bude tato slu?ba ukon?ena, synchronizace data a ?asu nebude k dispozici. Jestli?e je tato slu?ba zak?z?na, nezda?? se spu?t?n? ??dn?ch slu?eb, kter? na t?to slu?b? z?vis?.
Reg HKLM\SYSTEM\ControlSet003\Services\avjgim\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\avjgim\Parameters@ServiceDll C:\WINDOWS\system32\onubm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\szhfxhmk@DisplayName Config Security
Reg HKLM\SYSTEM\ControlSet003\Services\szhfxhmk@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\szhfxhmk@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\szhfxhmk@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\szhfxhmk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\szhfxhmk@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\szhfxhmk@Description Poskytuje t?i slu?by pro spr?vu: Datab?zovou slu?bu katalogu, kter? potvrzuje podpisy soubor? syst?mu Windows; slu?bu Ochrany ko?enov?ch certifik?t?, kter? p?id?v? a odeb?r? d?v?ryhodn? ko?enov? Certifika?n? ??ady; slu?bu Spr?vy kl???, kter? pom?h? p?ihl?sit po??ta? k odb?ru certifik?t?. Je-li tato slu?ba zastavena, nebudou tyto slu?by spr?vy spr?vn? fungovat. Je-li tato slu?ba zak?z?na, pak se spu?t?n? v?ech slu?eb v?slovn? z?visl?ch na t?to slu?b? nezda??.
Reg HKLM\SYSTEM\ControlSet003\Services\szhfxhmk\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\szhfxhmk\Parameters@ServiceDll C:\WINDOWS\system32\onubm.dll

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{BC69FA36-03F9-49AF-B74D-753A03D6DDED}\RP241\A0046469.exe:exe.exe 36352 bytes executable
ADS C:\System Volume Information\_restore{BC69FA36-03F9-49AF-B74D-753A03D6DDED}\RP241\A0045460.exe:exe.exe 36352 bytes executable
ADS C:\System Volume Information\_restore{BC69FA36-03F9-49AF-B74D-753A03D6DDED}\RP245\A0074496.exe:exe.exe 36352 bytes executable
ADS C:\System Volume Information\_restore{BC69FA36-03F9-49AF-B74D-753A03D6DDED}\RP245\A0074497.exe:exe.exe 36352 bytes executable

---- EOF - GMER 1.0.15 ----

spusťte znovu gmer, klikněte na tři šipky nahoře a vyberte z nabídky záložku cmd
do okna zkopírujte následující text
a klikněte na Run
restartujte pc a vložte nový log z GMERu

po kliknutí na run mi zčernala obrazovka a hlásilo mi to dvě chyby:

1) An error 0x00000002 occured during the delition of file:
"WINDOWS/system32/onubm.dll": Uvedený modul nebyl nalezen.

2) An error Ox00000002 occured during the delition of file
"C:/system volume information/_restore {BC69FA36-03F9-49AF-
B74D-753A03D6DDED}/RP241/A0046469 exe:exe,exe".
Uvedený modul nebyl nalezen