avast-trojskeho kone-log z rsit

[misako]

Dobry den, scan avastu nasel trojskeho kone-
C:\Documents and Settings\míša\Local Settings\Temp\oljche.tmp
Win32:Kates-AT [Trj]
100702-1, 02.07.2010

prosim o radu co dal.

Prikladam log, moc dekuji.


Logfile of random's system information tool 1.07 (written by random/random)
Run by míša at 2010-07-02 23:02:21
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 25 GB (61%) free of 40 GB
Total RAM: 447 MB (11% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:03:58, on 2.7.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Seznam\Postak\Postak.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\míša\Plocha\RSIT(2).exe
C:\Program Files\trend micro\míša.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &S-Rank - {B71B15CF-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Postak\SRank.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Eurotran XP - {230D1201-7607-4CF6-A11F-9E4BF0A333E0} - C:\Program Files\Eurotran XP\etnxp.dll
O9 - Extra button: (no name) - {2C73F784-D2DE-4422-B070-2E3332FE5744} - C:\Program Files\Eurotran XP\etnxp.dll
O9 - Extra 'Tools' menuitem: Eurotran XP... - {2C73F784-D2DE-4422-B070-2E3332FE5744} - C:\Program Files\Eurotran XP\etnxp.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 7230 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll [2008-03-25 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B71B15CF-3093-459C-B764-AEB2486F2273} - &S-Rank - C:\Program Files\Seznam\Postak\SRank.dll [2005-05-17 266240]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-03-17 339968]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-06-20 77824]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2003-12-13 33792]
"SMail"=C:\Program Files\Seznam\Postak\Postak.exe [2005-11-30 450560]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2006-10-30 256576]
"AAWTray"=C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe [2007-08-08 88024]
"DAEMON Tools-1033"=C:\Program Files\D-Tools\daemon.exe [2004-03-12 81920]
"dvd43"=C:\Program Files\dvd43\dvd43_tray.exe [2006-05-22 694272]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe [2008-03-25 144784]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-11-25 81000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-17 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-03-15 61440]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=0xFFFFFFFF
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe"="C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe:*:Enabled:Sunbelt Kerio Firewall GUI"
"C:\Program Files\ICQ6\ICQ.exe"="C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-07-02 23:02:23 ----D---- C:\Program Files\trend micro
2010-07-02 23:02:21 ----D---- C:\rsit

======List of files/folders modified in the last 1 months======

2010-07-02 23:02:23 ----RD---- C:\Program Files
2010-07-02 23:02:13 ----D---- C:\WINDOWS\Prefetch
2010-07-02 22:56:10 ----D---- C:\Program Files\Mozilla Firefox
2010-07-02 22:13:16 ----D---- C:\WINDOWS\Temp
2010-07-02 14:45:11 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-07-02 00:04:17 ----D---- C:\WINDOWS\system32\CatRoot2
2010-07-01 23:06:06 ----D---- C:\Documents and Settings\míša\Data aplikací\Skype
2010-06-30 14:48:01 ----A---- C:\WINDOWS\NeroDigital.ini
2010-06-29 18:30:33 ----A---- C:\WINDOWS\winamp.ini
2010-06-29 07:16:39 ----D---- C:\Documents and Settings\míša\Data aplikací\Vso
2010-06-27 20:26:03 ----D---- C:\WINDOWS\system32\config
2010-06-27 20:25:47 ----D---- C:\WINDOWS\system32\wbem
2010-06-27 20:25:46 ----D---- C:\WINDOWS\Registration
2010-06-16 12:13:10 ----A---- C:\WINDOWS\win.ini
2010-06-13 21:39:12 ----D---- C:\Program Files\rajce

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-25 27408]
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-11-25 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-25 48560]
R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS\system32\drivers\cdrbsdrv.sys [2004-03-08 13567]
R1 fwdrv;Firewall Driver; C:\WINDOWS\system32\drivers\fwdrv.sys [2007-02-20 302000]
R1 khips;Kerio HIPS Driver; C:\WINDOWS\system32\drivers\khips.sys [2007-02-20 71088]
R1 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-10-25 12032]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-11-25 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-11-25 94160]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-06-20 2324480]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-25 23120]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2005-03-15 1032192]
R3 axsaki;axsaki; C:\WINDOWS\System32\DRIVERS\axsaki.sys [2003-03-30 102624]
R3 axskbus;axskbus; C:\WINDOWS\System32\DRIVERS\axskbus.sys [2003-03-28 8640]
R3 dvd43llh;dvd43llh; C:\WINDOWS\System32\DRIVERS\dvd43llh.sys [2007-10-25 18816]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys [2004-04-13 70144]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
S3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
S3 bdfdll;bdfdll; \??\C:\Program Files\Softwin\BitDefender9\bdfdll.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
S3 QV2KUX;Casio Digital Camera; C:\WINDOWS\System32\DRIVERS\qv2kux.sys [2001-08-17 3328]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 StMp3Rec;Player Recovery Device Control Driver; C:\WINDOWS\System32\Drivers\StMp3Rec.sys [2005-05-13 68204]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Ad-Aware 2007 Service; C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe [2007-08-27 566616]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-11-25 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2005-03-15 352256]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-11-25 138680]
R2 KPF4;Sunbelt Kerio Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe [2007-02-20 1222192]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2004-08-10 38912]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-11-25 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-11-25 352920]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2006-10-30 492608]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-03-22 68096]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 DPAEKIAS;DPAEKIAS; C:\DOCUME~1\MA7581~1\LOCALS~1\Temp\DPAEKIAS.exe []
S4 ELVVRNU;ELVVRNU; C:\DOCUME~1\MA7581~1\LOCALS~1\Temp\ELVVRNU.exe []
S4 EVBXGAJV;EVBXGAJV; C:\DOCUME~1\MA7581~1\LOCALS~1\Temp\EVBXGAJV.exe []
S4 GFJXKIW;GFJXKIW; C:\DOCUME~1\MA7581~1\LOCALS~1\Temp\GFJXKIW.exe []
S4 LTPSENFZED;LTPSENFZED; C:\DOCUME~1\MA7581~1\LOCALS~1\Temp\LTPSENFZED.exe []
S4 MBQVIHKC;MBQVIHKC; C:\DOCUME~1\MA7581~1\LOCALS~1\Temp\MBQVIHKC.exe []
S4 S;S; C:\DOCUME~1\MA7581~1\LOCALS~1\Temp\S.exe []
S4 TBUUSJRQLG;TBUUSJRQLG; C:\DOCUME~1\MA7581~1\LOCALS~1\Temp\TBUUSJRQLG.exe []
S4 ZAF;ZAF; C:\DOCUME~1\MA7581~1\LOCALS~1\Temp\ZAF.exe []

-----------------EOF-----------------

[motji]

Dobrý večer


Combofix stahněte takto:
- pravým myšítkem klikněte na odkaz combofixu --uložit jako.. ,a teď ho přejmenujte na Potvora.com a uložte.



Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe


- ComboFix je třeba spustit pod účtem s právy administrátora

- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary

- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano

- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna

- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah sem

[misako]

Dik moc. Nejak to combofixu trvalo.Tady je log:


ComboFix 10-07-01.02 - míša 02.07.2010 23:37:14.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.447.61 [GMT 2:00]
Spuštěný z: c:\documents and settings\míša\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100702-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Kerio Personal Firewall *disabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\program files\Internet Explorer\SET5B.tmp
c:\program files\Internet Explorer\SET5C.tmp
c:\program files\Internet Explorer\SET5E.tmp

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-02 do 2010-07-02 )))))))))))))))))))))))))))))))
.

2010-07-02 21:02 . 2010-07-02 21:03 -------- d-----w- c:\program files\trend micro
2010-07-02 21:02 . 2010-07-02 21:04 -------- d-----w- C:\rsit
2010-06-27 18:25 . 2010-06-27 18:25 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 19:39 . 2008-02-21 19:46 -------- d-----w- c:\program files\rajce
2010-05-24 20:26 . 2001-10-25 12:00 49452 ----a-w- c:\windows\system32\perfc005.dat
2010-05-24 20:26 . 2001-10-25 12:00 318304 ----a-w- c:\windows\system32\perfh005.dat
2004-12-03 08:49 . 2006-05-01 17:26 9409536 -c----w- c:\program files\sidebarb75.exe
2004-12-02 13:31 . 2006-05-01 17:19 7741336 -c----w- c:\program files\DivX521XP2K.exe
2004-11-30 12:11 . 2006-05-01 17:12 4567928 -c----w- c:\program files\winamp506_full.exe
2004-11-30 11:37 . 2006-05-01 17:07 12717056 -c----w- c:\program files\MP10Setup.exe
2006-05-01 17:22 . 2006-05-01 17:22 56 --sh--r- c:\windows\system32\2534FE75F5.sys
2006-05-01 17:22 . 2006-05-01 17:22 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\8fb85d68ee3649be8b622da7b69408ee\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\4df038d60d071da9e4afe55fba7cbfbf\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-03 19:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2001-10-25 . A64013E98426E1877CB653685C5C0009 . 86656 . . [5.1.2600.0] . . c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 339968]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 77824]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"SMail"="c:\program files\Seznam\Postak\Postak.exe" [2005-11-30 450560]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-12 81920]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2006-05-22 694272]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-22 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-6-27 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [7.10.2007 20:57 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [7.10.2007 20:57 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1.4.2009 19:37 114768]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [20.2.2007 13:34 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [20.2.2007 13:34 71088]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1.4.2009 19:37 20560]
S4 DPAEKIAS;DPAEKIAS;c:\docume~1\MA7581~1\LOCALS~1\Temp\DPAEKIAS.exe --> c:\docume~1\MA7581~1\LOCALS~1\Temp\DPAEKIAS.exe [?]
S4 ELVVRNU;ELVVRNU;c:\docume~1\MA7581~1\LOCALS~1\Temp\ELVVRNU.exe --> c:\docume~1\MA7581~1\LOCALS~1\Temp\ELVVRNU.exe [?]
S4 EVBXGAJV;EVBXGAJV;c:\docume~1\MA7581~1\LOCALS~1\Temp\EVBXGAJV.exe --> c:\docume~1\MA7581~1\LOCALS~1\Temp\EVBXGAJV.exe [?]
S4 GFJXKIW;GFJXKIW;c:\docume~1\MA7581~1\LOCALS~1\Temp\GFJXKIW.exe --> c:\docume~1\MA7581~1\LOCALS~1\Temp\GFJXKIW.exe [?]
S4 LTPSENFZED;LTPSENFZED;c:\docume~1\MA7581~1\LOCALS~1\Temp\LTPSENFZED.exe --> c:\docume~1\MA7581~1\LOCALS~1\Temp\LTPSENFZED.exe [?]
S4 MBQVIHKC;MBQVIHKC;c:\docume~1\MA7581~1\LOCALS~1\Temp\MBQVIHKC.exe --> c:\docume~1\MA7581~1\LOCALS~1\Temp\MBQVIHKC.exe [?]
S4 S;S;c:\docume~1\MA7581~1\LOCALS~1\Temp\S.exe --> c:\docume~1\MA7581~1\LOCALS~1\Temp\S.exe [?]
S4 TBUUSJRQLG;TBUUSJRQLG;c:\docume~1\MA7581~1\LOCALS~1\Temp\TBUUSJRQLG.exe --> c:\docume~1\MA7581~1\LOCALS~1\Temp\TBUUSJRQLG.exe [?]
S4 ZAF;ZAF;c:\docume~1\MA7581~1\LOCALS~1\Temp\ZAF.exe --> c:\docume~1\MA7581~1\LOCALS~1\Temp\ZAF.exe [?]
.
Obsah adresáře 'Naplánované úlohy'

2010-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyServer = 127.0.0.1:3128
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;<local>
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{230D1201-7607-4CF6-A11F-9E4BF0A333E0} - {0DB13731-CEFD-43CF-A8FD-B61DCBC4D5B8} - c:\program files\Eurotran XP\etnxp.dll
IE: {{2C73F784-D2DE-4422-B070-2E3332FE5744} - {0320AC26-52C8-4316-B2C4-24BB6FA73C9A} - c:\program files\Eurotran XP\etnxp.dll
FF - ProfilePath - c:\documents and settings\míša\Data aplikací\Mozilla\Firefox\Profiles\s2ullyll.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9000
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Opera75\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\NPSWF32.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\npwmsdrm.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-Comanche 4 - c:\hry\Uninst.isu
AddRemove-HijackThis - c:\docume~1\MA7581~1\LOCALS~1\Temp\Rar$EX00.140\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-02 23:50
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll dvd43llh.sys >>UNKNOWN [0x842074D8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf761afc3
\Driver\ACPI -> ACPI.sys @ 0xf7466cb8
\Driver\atapi -> dvd43llh.sys @ 0xf790fb20
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\ćHőwć*]
"DisplayName"="?\11\09"
"DeviceDesc"="?\11\09"
"ProviderName"="???\11??H\11??"
"MFG"="???"
"ReinstallString"=".10.1000.5"
"DeviceInstanceIds"=multi:"d:\\ati\\rs480\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2176)
c:\progra~1\WINDOW~3\wmpband.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\System32\wdfmgr.exe
c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\program files\Java\jre1.6.0_06\bin\jucheck.exe
.
**************************************************************************
.
Celkový čas: 2010-07-02 23:59:14 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-02 21:59

Před spuštěním: Volných bajtů: 26 040 246 272
Po spuštění: Volných bajtů: 26 253 139 968

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 9871EC2E9751E3F2EDF66D054CE338B3

[motji]

Máte pravděpodobně infikovaný atapi.sys, pro jistotu si zazálohujte důležité soubory.
Ještě ověříme pár souborů a jdeme na věc

Dejte soubor otestovat na http://www.virustotal.com

C:\WINDOWS\System32\DRIVERS\axsaki.sys
C:\WINDOWS\System32\DRIVERS\axskbus.sys
C:\WINDOWS\System32\DRIVERS\dvd43llh.sys



-Na virustotalu dáte procházet, a do spodního okénka nakopírujete přímo cestu k souboru a dáte odeslat
-z prohlížeče zkopírujete adresu ke stránce s výsledky
-pokud se Vás zeptá, dejte soubor otestovat znovu, tak aby to byl soubor z Vašeho počítače

[misako]

Diky! Trochu mi trvalo zalohovani. Zatim mam test prvniho souboru:



Antivirus Verze Poslední aktualizace Výsledek
a-squared 5.0.0.31 2010.07.03 -
AhnLab-V3 2010.07.03.00 2010.07.03 -
AntiVir 8.2.4.2 2010.07.02 -
Antiy-AVL 2.0.3.7 2010.07.02 -
Authentium 5.2.0.5 2010.07.03 -
Avast 4.8.1351.0 2010.07.02 -
Avast5 5.0.332.0 2010.07.02 -
AVG 9.0.0.836 2010.07.03 -
BitDefender 7.2 2010.07.03 -
CAT-QuickHeal 11.00 2010.06.30 -
ClamAV 0.96.0.3-git 2010.07.03 -
Comodo 5298 2010.07.03 -
DrWeb 5.0.2.03300 2010.07.02 -
eSafe 7.0.17.0 2010.06.30 -
eTrust-Vet 36.1.7684 2010.07.03 -
F-Prot 4.6.1.107 2010.07.02 -
F-Secure 9.0.15370.0 2010.07.03 -
Fortinet 4.1.133.0 2010.07.02 -
GData 21 2010.07.03 -
Ikarus T3.1.1.84.0 2010.07.03 -
Jiangmin 13.0.900 2010.07.03 -
Kaspersky 7.0.0.125 2010.07.03 -
McAfee 5.400.0.1158 2010.07.03 -
McAfee-GW-Edition 2010.1 2010.07.02 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5902 2010.07.03 -
NOD32 5247 2010.07.02 -
Norman 6.05.10 2010.07.02 -
nProtect 2010-07-03.01 2010.07.03 -
Panda 10.0.2.7 2010.07.02 -
PCTools 7.0.3.5 2010.07.02 -
Prevx 3.0 2010.07.03 -
Rising 22.54.04.04 2010.07.02 -
Sophos 4.54.0 2010.07.03 -
Sunbelt 6538 2010.07.03 -
Symantec 20101.1.0.89 2010.07.03 -
TheHacker 6.5.2.1.307 2010.07.01 -
TrendMicro 9.120.0.1004 2010.07.03 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.03 -
VBA32 3.12.12.5 2010.07.02 -
ViRobot 2010.7.3.3919 2010.07.03 -
VirusBuster 5.0.27.0 2010.07.02 -
Rozšiřující informace
File size: 102624 bytes
MD5...: 8e574d97ec504abce866d56303d92f99
SHA1..: 8c9166e6851f0320af3afc49c3b78df87a8ad5db
SHA256: a3dd651420350d7a249fa14383f142abb0f389ff9bd078f95dfb4825ec3b159c
ssdeep: 3072:rLb0/NExiCYWLYavaLXRuMDWvoG9/2kPyGe+h:rvfY+SZDuoG9+kP/R
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xc70
timedatestamp.....: 0x3e86e8ff (Sun Mar 30 12:54:23 2003)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2e0 0x1483e 0x14840 6.68 371d1a87d5384ecfbf2d23caaa26bef6
.rdata 0x14b20 0x214 0x220 4.67 53d52434ea06e62ecc4fb42b7442c21c
.data 0x14d40 0x2898 0x28a0 6.26 6cd09b80e7cc8c0681b11fb1601ca6a7
INIT 0x175e0 0x9ba 0x9c0 5.42 903d53cc897966120acfd70aacc8ac0c
.rsrc 0x17fa0 0x300 0x300 3.16 30d0090b68bd4272920087d978b8647c
.reloc 0x182a0 0xe26 0xe40 6.46 3d1799114fd8663668ff25b2fbafa5f3

( 3 imports )
> ntoskrnl.exe: KeSetEvent, ExFreePool, sprintf, ZwClose, ObfDereferenceObject, KeWaitForSingleObject, ZwUnmapViewOfSection, ZwMapViewOfSection, ObOpenObjectByPointer, ObReferenceObjectByHandle, ZwCreateSection, ZwQueryInformationFile, RtlCopyUnicodeString, ExAllocatePoolWithTag, RtlEqualUnicodeString, RtlAppendUnicodeStringToString, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IofCallDriver, IoBuildSynchronousFsdRequest, KeInitializeEvent, IofCompleteRequest, RtlWriteRegistryValue, RtlIntegerToUnicodeString, IoQueryDeviceDescription, RtlCreateRegistryKey, RtlInitUnicodeString, InterlockedCompareExchange, KeTickCount, KeQueryTimeIncrement, _alldiv, _allmul, MmProbeAndLockPages, IoAllocateMdl, _stricmp, ZwQuerySystemInformation, PsGetVersion, MmUnlockPages, InterlockedDecrement, ZwSetInformationThread, PsCreateSystemThread, _wcsnicmp, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, IoReleaseCancelSpinLock, IoAcquireCancelSpinLock, KeResetEvent, ZwFreeVirtualMemory, ZwAllocateVirtualMemory, ZwSetValueKey, ZwOpenKey, ExInitializeNPagedLookasideList, ExDeleteNPagedLookasideList, ExInterlockedPopEntrySList, ExInterlockedPushEntrySList, InterlockedIncrement, PsGetCurrentProcessId, RtlUnicodeStringToAnsiString, KeInitializeSemaphore, KeInitializeSpinLock, KefReleaseSpinLockFromDpcLevel, KefAcquireSpinLockAtDpcLevel, ExfInterlockedRemoveHeadList, KeReleaseSemaphore, ExfInterlockedInsertTailList, KeReadStateSemaphore, memmove, _allshl, _allshr, _allrem, ZwQueryValueKey, ZwCreateKey, PsTerminateSystemThread, KeQuerySystemTime, RtlUnwind, IoFreeMdl, MmMapLockedPages, IoGetAttachedDevice, ObfReferenceObject, KeDelayExecutionThread, IoGetConfigurationInformation, RtlCompareMemory, wcslen, swprintf
> HAL.dll: KeStallExecutionProcessor, KeQueryPerformanceCounter, KfAcquireSpinLock, KfReleaseSpinLock
> SCSIPORT.SYS: ScsiPortInitialize, ScsiPortLogError, ScsiPortNotification

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....:
copyright....: Copyright (C) 2002-2003
product......:
description..: SCSI miniport
original name: axsaki.sys
internal name: axsaki.sys
file version.: 3.32.0.0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -

[misako]

Ten druhy:

a-squared 5.0.0.31 2010.07.03 -
AhnLab-V3 2010.07.03.00 2010.07.03 -
AntiVir 8.2.4.2 2010.07.02 -
Antiy-AVL 2.0.3.7 2010.07.02 -
Authentium 5.2.0.5 2010.07.03 -
Avast 4.8.1351.0 2010.07.02 -
Avast5 5.0.332.0 2010.07.02 -
AVG 9.0.0.836 2010.07.03 -
BitDefender 7.2 2010.07.03 -
CAT-QuickHeal 11.00 2010.06.30 -
ClamAV 0.96.0.3-git 2010.07.03 -
Comodo 5298 2010.07.03 -
DrWeb 5.0.2.03300 2010.07.02 -
eSafe 7.0.17.0 2010.06.30 -
eTrust-Vet 36.1.7684 2010.07.03 -
F-Prot 4.6.1.107 2010.07.02 -
F-Secure 9.0.15370.0 2010.07.03 -
Fortinet 4.1.133.0 2010.07.02 -
GData 21 2010.07.03 -
Ikarus T3.1.1.84.0 2010.07.03 -
Jiangmin 13.0.900 2010.07.03 -
Kaspersky 7.0.0.125 2010.07.03 -
McAfee 5.400.0.1158 2010.07.03 -
McAfee-GW-Edition 2010.1 2010.07.02 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5902 2010.07.03 -
NOD32 5247 2010.07.02 -
Norman 6.05.10 2010.07.02 -
nProtect 2010-07-03.01 2010.07.03 -
Panda 10.0.2.7 2010.07.02 -
PCTools 7.0.3.5 2010.07.02 -
Prevx 3.0 2010.07.03 -
Rising 22.54.04.04 2010.07.02 -
Sophos 4.54.0 2010.07.03 -
Sunbelt 6538 2010.07.03 -
Symantec 20101.1.0.89 2010.07.03 -
TheHacker 6.5.2.1.307 2010.07.01 -
TrendMicro 9.120.0.1004 2010.07.03 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.03 -
VBA32 3.12.12.5 2010.07.02 -
ViRobot 2010.7.3.3919 2010.07.03 -
VirusBuster 5.0.27.0 2010.07.02 -
Rozšiřující informace
File size: 8640 bytes
MD5...: 90809122e02c3785aa5055bf9b0392b5
SHA1..: 7f6d6ebf47ddc3e0d9e1bff02d8f34f092f35da8
SHA256: 4bb3d5c9077f7567c65f47db817ec00e884490ab6bf132e7c47d712dc92fe6bb
ssdeep: 192:VxTMT+onV1vlFuD5cN/K9sb2vxy2wN/lCE:vTu+oFgD8/K9Y2vQ2wN/lC
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x18e0
timedatestamp.....: 0x3e841cd0 (Fri Mar 28 09:58:40 2003)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2e0 0x7e4 0x800 6.32 36615443fcb9b04cccdb6cffcb4e96d4
.rdata 0xae0 0xa8 0xc0 3.18 1e860ad699f479ac96fe8f368f3bca42
.data 0xba0 0x50 0x60 2.07 9c955455e5698e6975cc40bc94949094
PAGE 0xc00 0xcd0 0xce0 6.29 e44776af74082ccc89f66f25d6ee366f
INIT 0x18e0 0x40e 0x420 5.43 fbf2c8b853589521e291e27945fb6056
.rsrc 0x1d00 0x320 0x320 3.23 7e35de16d4b4d2293c5ae5dd3a5b1ff0
.reloc 0x2020 0x186 0x1a0 5.24 8724fd4e8dcbc0c0fe02705220da746e

( 2 imports )
> ntoskrnl.exe: _stricmp, ExAllocatePoolWithTag, ZwQuerySystemInformation, PsGetVersion, RtlCopyUnicodeString, IofCallDriver, IofCompleteRequest, KeClearEvent, InterlockedIncrement, KeSetEvent, InterlockedDecrement, RtlAnsiStringToUnicodeString, IoGetAttachedDevice, ExFreePool, IoAttachDeviceToDeviceStack, KeInitializeEvent, IoCreateDevice, IoDetachDevice, KeWaitForSingleObject, KeLeaveCriticalRegion, KeEnterCriticalRegion, RtlInitAnsiString, swprintf, ObfDereferenceObject, IoBuildSynchronousFsdRequest, RtlUnwind, sprintf, ObfReferenceObject, IoDeleteDevice
> HAL.dll: ExAcquireFastMutex, ExReleaseFastMutex

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
pdfid.: -
sigcheck:
publisher....:
copyright....: Copyright (C) 2002-2003
product......:
description..: Plug and Play BIOS Extension
original name: axskbus.sys
internal name: axskbus.sys
file version.: 3.32.0.0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

[misako]

treti:


Antivirus Verze Poslední aktualizace Výsledek

a-squared 5.0.0.31 2010.07.03 -
AhnLab-V3 2010.07.03.00 2010.07.03 -
AntiVir 8.2.4.2 2010.07.02 -
Antiy-AVL 2.0.3.7 2010.07.02 -
Authentium 5.2.0.5 2010.07.03 -
Avast 4.8.1351.0 2010.07.02 -
Avast5 5.0.332.0 2010.07.02 -
AVG 9.0.0.836 2010.07.03 -
BitDefender 7.2 2010.07.03 -
CAT-QuickHeal 11.00 2010.06.30 -
ClamAV 0.96.0.3-git 2010.07.03 -
Comodo 5298 2010.07.03 -
DrWeb 5.0.2.03300 2010.07.02 -
eSafe 7.0.17.0 2010.06.30 -
eTrust-Vet 36.1.7684 2010.07.03 -
F-Prot 4.6.1.107 2010.07.02 -
F-Secure 9.0.15370.0 2010.07.03 -
Fortinet 4.1.133.0 2010.07.02 -
GData 21 2010.07.03 -
Ikarus T3.1.1.84.0 2010.07.03 -
Jiangmin 13.0.900 2010.07.03 -
Kaspersky 7.0.0.125 2010.07.03 -
McAfee 5.400.0.1158 2010.07.03 -
McAfee-GW-Edition 2010.1 2010.07.02 -
Microsoft 1.5902 2010.07.03 -
NOD32 5247 2010.07.02 -
Norman 6.05.10 2010.07.02 -
nProtect 2010-07-03.01 2010.07.03 -
Panda 10.0.2.7 2010.07.02 -
PCTools 7.0.3.5 2010.07.02 -
Rising 22.54.04.04 2010.07.02 -
Sophos 4.54.0 2010.07.03 -
Sunbelt 6538 2010.07.03 -
Symantec 20101.1.0.89 2010.07.03 -
TheHacker 6.5.2.1.307 2010.07.01 -
TrendMicro 9.120.0.1004 2010.07.03 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.03 -
VBA32 3.12.12.5 2010.07.02 -
ViRobot 2010.7.3.3919 2010.07.03 -
VirusBuster 5.0.27.0 2010.07.02 -
Rozšiřující informace
File size: 18816 bytes
MD5...: 1fc1eed3ea0c3a0ecf8a95b97e1b4831
SHA1..: 0c545143227651eb90c32c93723176c276871057
SHA256: 162ca60afeeb45c45ba986d21660f23cf2432645993d4fab8c8ae27ce40da9af
ssdeep: 192:i7kK2b//pPvFhT6w8EtXG08ZMoxWm7siKs6Te5nHOrBLbmWBgLv/TlfLqE9O
Xir:G2NT8ZZM2siz6CnHOFTBm/RfLL
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3cd6
timedatestamp.....: 0x4207b091 (Mon Feb 07 18:16:49 2005)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x1bea 0x1c00 6.67 f33d1998e70d8573105cb93548891024
.rdata 0x1f00 0x11f 0x180 3.79 ffa68c4864059a4419af1a083666b54d
.data 0x2080 0xe10 0xe80 3.18 7b1c0c2c729f5b4d7b7a2127413d3c08
PAGE 0x2f00 0xe89 0xf00 6.27 30ec7d5bb84d78a3cbc335bbde725bae
INIT 0x3e00 0x42c 0x480 4.80 c0af4d28d8f6548b81be1d812cfcc522
.rsrc 0x4280 0x438 0x480 3.13 7c98954dcb3b1147ad768a5ade6342e2
.reloc 0x4700 0x220 0x280 4.71 4c33fa309d1ea4f9addc0bf4b27e2421

( 2 imports )
> NTOSKRNL.EXE: InterlockedIncrement, InterlockedDecrement, ObReferenceObjectByHandle, ExEventObjectType, ObfDereferenceObject, KeSetEvent, RtlFreeUnicodeString, IofCompleteRequest, IoReleaseRemoveLockEx, PoCallDriver, IoAcquireRemoveLockEx, ExFreePool, IofCallDriver, IoGetAttachedDeviceReference, IoDeleteDevice, IoDetachDevice, IoFreeIrp, KeWaitForSingleObject, IoBuildDeviceIoControlRequest, KeInitializeEvent, IoFreeMdl, MmBuildMdlForNonPagedPool, IoAllocateMdl, IoReuseIrp, PoStartNextPowerIrp, RtlCompareMemory, IoAllocateIrp, IoAttachDeviceToDeviceStack, IoInitializeRemoveLockEx, IoCreateDevice, IoReleaseRemoveLockAndWaitEx, RtlCopyUnicodeString, KeQuerySystemTime, memmove, MmMapLockedPagesSpecifyCache, InterlockedExchange, ExAllocatePoolWithTag
> HAL.DLL: KeQueryPerformanceCounter

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: RIF
copyright....: Copyleft (c) 2002 - 2005 RIF
product......: DVD For Free
description..: dvd43llh.sys
original name: dvd43llh.sys
internal name: DVD43LLH
file version.: 3.5.000
comments.....: This driver help you to watch VIDEO-DVD and play AUDIO-CD on your computer
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -

[misako]

V tom prvnim a v tom druhym bylo cervene toto:
McAfee-GW-Edition 2010.1 2010.07.02 Heuristic.BehavesLike.Win32.Rootkit.H
Ve tretim nic

[motji]

Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka

Kód: Vybrat vše

KillAll::

FCOPY::
c:\windows\system32\dllcache\atapi.sys | c:\windows\system32\drivers\atapi.sys

Collect::
c:\docume~1\MA7581~1\LOCALS~1\Temp\DPAEKIAS.exe
c:\docume~1\MA7581~1\LOCALS~1\Temp\ELVVRNU.exe
c:\docume~1\MA7581~1\LOCALS~1\Temp\EVBXGAJV.exe 
c:\docume~1\MA7581~1\LOCALS~1\Temp\GFJXKIW.exe
c:\docume~1\MA7581~1\LOCALS~1\Temp\LTPSENFZED.exe
c:\docume~1\MA7581~1\LOCALS~1\Temp\MBQVIHKC.exe
c:\docume~1\MA7581~1\LOCALS~1\Temp\S.exe
c:\docume~1\MA7581~1\LOCALS~1\Temp\TBUUSJRQLG.exe 
c:\docume~1\MA7581~1\LOCALS~1\Temp\ZAF.exe

Driver::
DPAEKIAS
ELVVRNU
EVBXGAJV
GFJXKIW
LTPSENFZED
MBQVIHKC
S
TBUUSJRQLG
ZAF

-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:




-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

[misako]

Posilam log. Vic muzu az vecer:( zatim ahoj!


ComboFix 10-07-01.02 - míša 03.07.2010 9:50.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.447.59 [GMT 2:00]
Spuštěný z: c:\documents and settings\míša\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\míša\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100702-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Kerio Personal Firewall *enabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DPAEKIAS
-------\Legacy_ELVVRNU
-------\Legacy_EVBXGAJV
-------\Legacy_GFJXKIW
-------\Legacy_LTPSENFZED
-------\Legacy_MBQVIHKC
-------\Legacy_S
-------\Legacy_TBUUSJRQLG
-------\Legacy_ZAF
-------\Service_DPAEKIAS
-------\Service_ELVVRNU
-------\Service_EVBXGAJV
-------\Service_GFJXKIW
-------\Service_LTPSENFZED
-------\Service_MBQVIHKC
-------\Service_S
-------\Service_TBUUSJRQLG
-------\Service_ZAF


((((((((((((((((((((((((( Soubory vytvořené od 2010-06-03 do 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-02 21:02 . 2010-07-02 21:03 -------- d-----w- c:\program files\trend micro
2010-07-02 21:02 . 2010-07-02 21:04 -------- d-----w- C:\rsit
2010-06-27 18:25 . 2010-06-27 18:25 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 07:03 . 2010-07-03 07:38 184066 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1029.dat
2010-06-13 19:39 . 2008-02-21 19:46 -------- d-----w- c:\program files\rajce
2010-05-24 20:26 . 2001-10-25 12:00 49452 ----a-w- c:\windows\system32\perfc005.dat
2010-05-24 20:26 . 2001-10-25 12:00 318304 ----a-w- c:\windows\system32\perfh005.dat
2004-12-03 08:49 . 2006-05-01 17:26 9409536 -c----w- c:\program files\sidebarb75.exe
2004-12-02 13:31 . 2006-05-01 17:19 7741336 -c----w- c:\program files\DivX521XP2K.exe
2004-11-30 12:11 . 2006-05-01 17:12 4567928 -c----w- c:\program files\winamp506_full.exe
2004-11-30 11:37 . 2006-05-01 17:07 12717056 -c----w- c:\program files\MP10Setup.exe
2006-05-01 17:22 . 2006-05-01 17:22 56 --sh--r- c:\windows\system32\2534FE75F5.sys
2006-05-01 17:22 . 2006-05-01 17:22 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\8fb85d68ee3649be8b622da7b69408ee\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\4df038d60d071da9e4afe55fba7cbfbf\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-03 17:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2001-10-25 . A64013E98426E1877CB653685C5C0009 . 86656 . . [5.1.2600.0] . . c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 339968]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 77824]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"SMail"="c:\program files\Seznam\Postak\Postak.exe" [2005-11-30 450560]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-12 81920]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2006-05-22 694272]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-22 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-6-27 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [7.10.2007 20:57 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [7.10.2007 20:57 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1.4.2009 19:37 114768]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [20.2.2007 13:34 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [20.2.2007 13:34 71088]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1.4.2009 19:37 20560]
.
Obsah adresáře 'Naplánované úlohy'

2010-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyServer = 127.0.0.1:3128
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;<local>
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{230D1201-7607-4CF6-A11F-9E4BF0A333E0} - {0DB13731-CEFD-43CF-A8FD-B61DCBC4D5B8} - c:\program files\Eurotran XP\etnxp.dll
IE: {{2C73F784-D2DE-4422-B070-2E3332FE5744} - {0320AC26-52C8-4316-B2C4-24BB6FA73C9A} - c:\program files\Eurotran XP\etnxp.dll
FF - ProfilePath - c:\documents and settings\míša\Data aplikací\Mozilla\Firefox\Profiles\s2ullyll.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9000
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Opera75\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\NPSWF32.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\npwmsdrm.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 10:01
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll dvd43llh.sys >>UNKNOWN [0x84148258]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf761afc3
\Driver\ACPI -> ACPI.sys @ 0xf7466cb8
\Driver\atapi -> dvd43llh.sys @ 0xf7907b20
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\ćHőwć*]
"DisplayName"="?\11\09"
"DeviceDesc"="?\11\09"
"ProviderName"="???\11??H\11??"
"MFG"="???"
"ReinstallString"=".10.1000.5"
"DeviceInstanceIds"=multi:"d:\\ati\\rs480\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2084)
c:\progra~1\WINDOW~3\wmpband.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\System32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\program files\Java\jre1.6.0_06\bin\jucheck.exe
.
**************************************************************************
.
Celkový čas: 2010-07-03 10:06:33 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-03 08:06
ComboFix2.txt 2010-07-02 21:59

Před spuštěním: Volných bajtů: 26 226 515 968
Po spuštění: Volných bajtů: 26 206 711 808

- - End Of File - - F39E2657A24612DBEBB862F608EC3ACD

[motji]

Stáhněte Avenger
http://swandog46.geekstogo.com/avenger.exe

-spustíte program a potvrdíte kliknutím na ok,tím potvrzujete, že všechny činnosti s tím spojené činíte na vlastní riziko.
-Po odkliknutí se objeví hlavní okno programu,do bílého okna něj zkopírujte tento skript:

Kód: Vybrat vše

Begin copying here:
Files to move:
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys

-zaškrtněte políčko scan for rootkits

a klikněte na tlačítko Execute.
-Potom se objeví okno,kde kliknutím Yes potvrdíte spuštění skriptu. Pak znovu tlačítkem yes potvrdíte restart počítače.
-Po restartu by se měl otevřít poznámkový blok s logem o vykonání skriptu, bude také uložený v C:\avenger.txt.
-Log vložte sem

A pak hned spusťte combofix


Já tu budu až po 10 večer

[misako]

Log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\windows\ServicePackFiles\i386\atapi.sys|c:\windows\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[motji]

Ještě počkám na ten log z combofixu.

[misako]

jo jo tady je:)

ComboFix 10-07-01.02 - míša 03.07.2010 22:08:59.5.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.447.60 [GMT 2:00]
Spuštěný z: c:\documents and settings\míša\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100703-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Kerio Personal Firewall *enabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-06-03 do 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-02 21:02 . 2010-07-02 21:03 -------- d-----w- c:\program files\trend micro
2010-07-02 21:02 . 2010-07-02 21:04 -------- d-----w- C:\rsit
2010-06-27 18:25 . 2010-06-27 18:25 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 07:03 . 2010-07-03 07:38 184066 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1029.dat
2010-06-13 19:39 . 2008-02-21 19:46 -------- d-----w- c:\program files\rajce
2010-05-24 20:26 . 2001-10-25 12:00 49452 ----a-w- c:\windows\system32\perfc005.dat
2010-05-24 20:26 . 2001-10-25 12:00 318304 ----a-w- c:\windows\system32\perfh005.dat
2004-12-03 08:49 . 2006-05-01 17:26 9409536 -c----w- c:\program files\sidebarb75.exe
2004-12-02 13:31 . 2006-05-01 17:19 7741336 -c----w- c:\program files\DivX521XP2K.exe
2004-11-30 12:11 . 2006-05-01 17:12 4567928 -c----w- c:\program files\winamp506_full.exe
2004-11-30 11:37 . 2006-05-01 17:07 12717056 -c----w- c:\program files\MP10Setup.exe
2006-05-01 17:22 . 2006-05-01 17:22 56 --sh--r- c:\windows\system32\2534FE75F5.sys
2006-05-01 17:22 . 2006-05-01 17:22 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\8fb85d68ee3649be8b622da7b69408ee\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\4df038d60d071da9e4afe55fba7cbfbf\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-03 19:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2001-10-25 . A64013E98426E1877CB653685C5C0009 . 86656 . . [5.1.2600.0] . . c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 339968]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 77824]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"SMail"="c:\program files\Seznam\Postak\Postak.exe" [2005-11-30 450560]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-12 81920]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2006-05-22 694272]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-22 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-6-27 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [7.10.2007 20:57 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [7.10.2007 20:57 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1.4.2009 19:37 114768]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [20.2.2007 13:34 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [20.2.2007 13:34 71088]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1.4.2009 19:37 20560]
.
Obsah adresáře 'Naplánované úlohy'

2010-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyServer = 127.0.0.1:3128
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;<local>
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{230D1201-7607-4CF6-A11F-9E4BF0A333E0} - {0DB13731-CEFD-43CF-A8FD-B61DCBC4D5B8} - c:\program files\Eurotran XP\etnxp.dll
IE: {{2C73F784-D2DE-4422-B070-2E3332FE5744} - {0320AC26-52C8-4316-B2C4-24BB6FA73C9A} - c:\program files\Eurotran XP\etnxp.dll
FF - ProfilePath - c:\documents and settings\míša\Data aplikací\Mozilla\Firefox\Profiles\s2ullyll.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9000
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Opera75\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\NPSWF32.dll
FF - plugin: c:\program files\Opera75\Program\Plugins\npwmsdrm.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 22:19
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll dvd43llh.sys >>UNKNOWN [0x8442A010]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf761afc3
\Driver\ACPI -> ACPI.sys @ 0xf7466cb8
\Driver\atapi -> dvd43llh.sys @ 0xf7907b20
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\ćHőwć*]
"DisplayName"="?\11\09"
"DeviceDesc"="?\11\09"
"ProviderName"="???\11??H\11??"
"MFG"="???"
"ReinstallString"=".10.1000.5"
"DeviceInstanceIds"=multi:"d:\\ati\\rs480\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WINSPOOL.DRV

- - - - - - - > 'explorer.exe'(944)
c:\progra~1\WINDOW~3\wmpband.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\System32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre1.6.0_06\bin\jucheck.exe
.
**************************************************************************
.
Celkový čas: 2010-07-03 22:29:31 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-03 20:29
ComboFix2.txt 2010-07-03 08:06
ComboFix3.txt 2010-07-02 21:59

Před spuštěním: Volných bajtů: 26 195 918 848
Po spuštění: Volných bajtů: 26 176 438 272

- - End Of File - - 6557C29C878D7D1B03CFC26665BB2125

[motji]

Něco nám tam vrací změny. Budete mít se mnou ještě trochu trpělivosti?

Otestujte na www.virustotal.com

c:\windows\system32\dllcache\atapi.sys
c:\windows\system32\drivers\atapi.sys



-Do okénka zkopírujte cestu k souboru , pokud napíše, že soubor byl už testován, dejte otestovat znovu.
-Sem vložte link s výsledky.



stáhněte na plochu http://support.kaspersky.com/downloads/ ... killer.zip

Otevřete si Poznámkový blok a zkopírujte do něj text

Kód: Vybrat vše

@echo off
"%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v
notepad report.txt
del %0
exit

 

-uložte jako (typ: všechny soubory) kde za název souboru zadáte "antiTDL3.bat" bez uvozovek,
-klikněte na uložit, pak na soubor standardně 2X klikněte , spustí se sken, po skončení zmáčkněte libovolnou klávesu.
-otevře se poznámkový blok, obsah zde zkopírujte