Prosím o kontrolu po opravě a čištění

Zpráva

sunv · #1 Příspěvek od **sunv** » 05 srp 2010 14:16

Dobrý den.
Měl jsem problem s ieplore.exe, běžel (ikdyž IE nepoužívám, jedu na Opeře) a navíc pouštěl zvuk z flash reklamy na internetovou hru farma?? Také při vypínání se neukončoval a PC naběhlo s neočekáváným vypnutím.
PC čištěno avastem home, Eset on-line scaner,AVG-AntiRootkit, Malwarebyte,Spybot a Windows defender dále Ccleaner a hijackthis.
Nic nepohlo a ani nehlásilo nic závažného co by souviselo... Provedena i obnova systemu - nanic, i pokus o odstranění/reinstal IE8
Až combofix nahlásil problem a asi ho vyřešil. Omlouvám se, že se tak rozepisuji, ale myslím, že to jsou nutné věci.
Zde log:

Logfile of random's system information tool 1.08 (written by random/random)
Run by Milan at 2010-08-05 14:34:31
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 60 GB (40%) free of 151 GB
Total RAM: 3326 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:34:42, on 5.8.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Explorer.exe
H:\stahovačka\RSIT.exe
C:\Program Files\trend micro\Milan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centrum.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.14.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Pomocník pro přihlášení ke službě Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B34111F9-934E-414C-A437-0D91D4D067C2}: NameServer = 212.71.128.9
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\System32\guard32.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Update Service (gupdate1c9de051e6229f3) (gupdate1c9de051e6229f3) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6762 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\User_Feed_Synchronization-{60B2397D-7A44-434C-B979-0497A9FA82BA}.job
C:\Windows\tasks\Úklid 1 kliknutím.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Program Files\Orbitdownloader\orbitcth.dll [2010-05-07 240912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2010-01-25 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Pomocník pro přihlášení ke službě Windows Live - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Program Files\Orbitdownloader\GrabPro.dll [2010-05-07 666816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2010-01-25 149280]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2010-05-27 102400]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-05-10 4468736]
"itype"=C:\Program Files\Microsoft IntelliType Pro\itype.exe [2008-06-10 1442888]
"COMODO Internet Security"=C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [2010-04-22 2029456]
"ArcSoft Connection Service"=C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2008-07-04 109056]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-20 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]
"AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2008-03-06 910744]
"avast5"=C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2010-06-28 2837864]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\Windows\System32\guard32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Orbitdownloader\orbitdm.exe"="C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"C:\Program Files\Orbitdownloader\orbitnet.exe"="C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
"Debugger="C:\Program Files\TuneUp Utilities 2009\PMLauncher.exe

======File associations======

sunv · #2 Příspěvek od **sunv** » 05 srp 2010 14:17

další část:
.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2010-08-05 14:34:31 ----D---- C:\rsit
2010-08-05 14:34:31 ----D---- C:\Program Files\trend micro
2010-08-05 13:57:38 ----D---- C:\Windows\temp
2010-08-05 13:57:36 ----A---- C:\ComboFix.txt
2010-08-05 13:51:28 ----D---- C:\$RECYCLE.BIN
2010-08-05 13:32:59 ----A---- C:\Windows\zip.exe
2010-08-05 13:32:59 ----A---- C:\Windows\SWSC.exe
2010-08-05 13:32:59 ----A---- C:\Windows\SWREG.exe
2010-08-05 13:32:59 ----A---- C:\Windows\sed.exe
2010-08-05 13:32:59 ----A---- C:\Windows\PEV.exe
2010-08-05 13:32:59 ----A---- C:\Windows\NIRCMD.exe
2010-08-05 13:32:59 ----A---- C:\Windows\MBR.exe
2010-08-05 13:32:59 ----A---- C:\Windows\grep.exe
2010-08-05 13:31:40 ----A---- C:\Windows\SWXCACLS.exe
2010-08-05 10:23:10 ----D---- C:\Program Files\GRISOFT
2010-08-05 10:23:10 ----A---- C:\Windows\system32\drivers\AvgArCln.sys
2010-08-05 00:06:26 ----A---- C:\Windows\system32\browserchoice.exe
2010-08-04 23:56:05 ----A---- C:\Windows\system32\shell32.dll
2010-08-04 23:10:17 ----ASH---- C:\hiberfil.sys
2010-08-04 17:27:16 ----D---- C:\Users\Milan\AppData\Roaming\Acronis
2010-08-03 15:59:55 ----ASH---- C:\pagefile.sys
2010-07-30 11:29:20 ----A---- C:\Windows\system32\drivers\StarOpen.sys
2010-07-30 11:08:45 ----D---- C:\Program Files\Ashampoo
2010-07-30 10:40:12 ----A---- C:\Windows\system32\QTCF.dll
2010-07-23 13:18:15 ----D---- C:\Users\Milan\AppData\Roaming\vlc
2010-07-22 21:35:45 ----D---- C:\Program Files\GIMP-2.0
2010-07-22 09:04:32 ----D---- C:\Program Files\GIMP 2.7
2010-07-09 21:04:40 ----A---- C:\Windows\system32\xfcodec.dll

======List of files/folders modified in the last 1 months======

2010-08-05 14:34:42 ----D---- C:\Windows\Prefetch
2010-08-05 14:34:31 ----D---- C:\Program Files
2010-08-05 14:11:15 ----SHD---- C:\System Volume Information
2010-08-05 13:57:38 ----D---- C:\Windows\system32\drivers
2010-08-05 13:57:38 ----D---- C:\Windows
2010-08-05 13:57:38 ----D---- C:\Qoobox
2010-08-05 13:56:15 ----D---- C:\Windows\ERDNT
2010-08-05 13:51:34 ----A---- C:\Windows\system.ini
2010-08-05 13:51:20 ----D---- C:\Windows\system32\drivers\etc
2010-08-05 13:48:49 ----D---- C:\Windows\System32
2010-08-05 13:46:18 ----D---- C:\Windows\AppPatch
2010-08-05 13:46:17 ----D---- C:\Program Files\Common Files
2010-08-05 12:41:53 ----D---- C:\Windows\security
2010-08-05 12:33:12 ----D---- C:\Program Files\Mozilla Thunderbird
2010-08-05 11:35:46 ----D---- C:\Program Files\Stereoscopic Player
2010-08-05 10:51:05 ----D---- C:\Users\Milan\AppData\Roaming\Orbit
2010-08-05 09:54:19 ----SD---- C:\Users\Milan\AppData\Roaming\Microsoft
2010-08-05 09:54:14 ----D---- C:\ProgramData
2010-08-05 00:06:36 ----D---- C:\Windows\winsxs
2010-08-05 00:06:35 ----D---- C:\Windows\system32\catroot2
2010-08-05 00:06:35 ----D---- C:\Windows\system32\catroot
2010-08-04 23:43:58 ----D---- C:\Windows\system32\Msdtc
2010-08-04 23:43:56 ----D---- C:\Windows\system32\wbem
2010-08-04 23:43:49 ----D---- C:\Windows\pss
2010-08-04 23:43:12 ----D---- C:\Windows\system32\config
2010-08-04 23:42:47 ----D---- C:\Windows\PolicyDefinitions
2010-08-04 23:42:47 ----D---- C:\Windows\inf
2010-08-04 23:42:43 ----D---- C:\Windows\Tasks
2010-08-04 23:42:43 ----D---- C:\Windows\system32\Tasks
2010-08-04 23:42:43 ----D---- C:\Windows\system32\spool
2010-08-04 23:42:43 ----D---- C:\Windows\system32\CodeIntegrity
2010-08-04 23:42:41 ----SHD---- C:\Windows\Installer
2010-08-04 23:42:41 ----D---- C:\Windows\rescache
2010-08-04 23:42:34 ----D---- C:\Users\Milan\AppData\Roaming\Xfire
2010-08-04 23:42:34 ----D---- C:\Users\Milan\AppData\Roaming\TS3Client
2010-08-04 23:42:33 ----D---- C:\Users\Milan\AppData\Roaming\Thunderbird
2010-08-04 23:42:33 ----D---- C:\Users\Milan\AppData\Roaming\Skype
2010-08-04 23:42:33 ----D---- C:\Users\Milan\AppData\Roaming\RapidGet
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\MakeUpPilot
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\KeePass
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\HLSW
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\Hamachi
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\gtk-2.0
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\GHISLER
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\dvdcss
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\DVD Flick
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\DeepBurner
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\DAEMON Tools
2010-08-04 23:42:32 ----D---- C:\Users\Milan\AppData\Roaming\BeautyPilot
2010-08-04 23:42:27 ----D---- C:\ProgramData\Xfire
2010-08-04 23:42:27 ----D---- C:\ProgramData\Ulead Systems
2010-08-04 23:42:27 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-08-04 23:42:27 ----D---- C:\Program Files\Microsoft Silverlight
2010-08-04 23:42:25 ----D---- C:\Program Files\Ant Movie Catalog
2010-08-04 23:42:05 ----D---- C:\Windows\registration
2010-08-04 23:41:58 ----D---- C:\Program Files\Internet Explorer
2010-08-04 21:23:37 ----SD---- C:\Windows\Downloaded Program Files
2010-08-04 20:56:53 ----D---- C:\Windows\Minidump
2010-08-04 18:43:25 ----D---- C:\Users\Milan\AppData\Roaming\skypePM
2010-08-04 18:26:38 ----D---- C:\ProgramData\Acronis
2010-08-04 13:43:31 ----D---- C:\Users\Milan\AppData\Roaming\Media Player Classic
2010-08-03 21:08:37 ----D---- C:\downloads
2010-08-02 23:09:29 ----D---- C:\Windows\Debug
2010-08-01 23:22:21 ----A---- C:\Windows\system32\PnkBstrB.exe
2010-08-01 18:13:18 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-08-01 18:11:51 ----D---- C:\Program Files\Xfire
2010-07-31 10:22:11 ----D---- C:\Windows\system32\LogFiles
2010-07-31 10:09:08 ----D---- C:\Boot
2010-07-30 11:29:20 ----D---- C:\Program Files\CDBurnerXP
2010-07-30 11:25:24 ----D---- C:\Program Files\CCleaner
2010-07-30 11:14:57 ----D---- C:\Users\Milan\AppData\Roaming\Ashampoo
2010-07-30 10:40:20 ----D---- C:\Program Files\QuickTime Alternative
2010-07-28 17:26:30 ----D---- C:\Program Files\Avidemux 2.5
2010-07-27 12:55:02 ----D---- C:\Program Files\Opera
2010-07-26 11:31:38 ----D---- C:\VueScan
2010-07-26 10:24:16 ----D---- C:\Users\Milan\AppData\Roaming\Mozilla
2010-07-23 15:06:04 ----D---- C:\Program Files\FastStone Image Viewer
2010-07-14 13:07:17 ----D---- C:\Program Files\Windows Mail
2010-07-14 12:57:00 ----D---- C:\Windows\system32\cs-CZ

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 AVG Anti-Rootkit;AVG Anti-Rootkit; C:\Windows\System32\DRIVERS\avgarkt.sys [2007-01-31 5632]
R0 hotcore3;hc3ServiceName; C:\Windows\system32\drivers\hotcore3.sys [2010-02-03 40560]
R0 snapman;Acronis Snapshots Manager; C:\Windows\system32\DRIVERS\snapman.sys [2010-04-14 129248]
R0 tdrpman;Acronis Try&Decide and Restore Points filter; C:\Windows\system32\DRIVERS\tdrpman.sys [2010-04-14 368480]
R0 timounter;Acronis True Image Backup Archive Explorer; C:\Windows\system32\DRIVERS\timntr.sys [2010-04-14 441760]
R1 Amfilter;A4Tech Mouse Filter Driver; C:\Windows\system32\DRIVERS\Amfilter.sys [2007-05-15 9216]
R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2010-06-28 23376]
R1 aswSP;aswSP; C:\Windows\system32\drivers\aswSP.sys [2010-06-28 165456]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2010-06-28 46672]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver; C:\Windows\System32\DRIVERS\AvgArCln.sys [2007-01-18 3968]
R1 cmdGuard;COMODO Internet Security Sandbox Driver; C:\Windows\System32\DRIVERS\cmdguard.sys [2010-04-22 218560]
R1 cmdHlp;COMODO Internet Security Helper Driver; C:\Windows\System32\DRIVERS\cmdhlp.sys [2010-04-22 30112]
R1 inspect;COMODO Internet Security Firewall Driver; C:\Windows\system32\DRIVERS\inspect.sys [2010-04-22 74408]
R1 Uim_IM;UIM Drive Backup Image Plugin; C:\Windows\System32\Drivers\Uim_IM.sys [2010-02-03 385544]
R1 UimBus;Universal Image Mounter Controller; C:\Windows\system32\DRIVERS\UimBus.sys [2010-02-03 34392]
R1 vmm;Virtual Machine Monitor; \??\C:\Windows\system32\Drivers\vmm.sys [2008-02-12 232472]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\drivers\aswFsBlk.sys [2010-06-28 17744]
R2 aswMonFlt;aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
R2 CX23880;WinFast CX2388x WDM Video Capture.; C:\Windows\system32\drivers\cx88vid.sys [2006-10-18 162944]
R2 CXAVXBAR;WinFast CX2388x WDM Crossbar.; C:\Windows\system32\drivers\cxavxbar.sys [2006-10-18 9728]
R2 CXTUNE;Conexant 2388x Tuner; C:\Windows\system32\drivers\CX88TUNE_IBV32.sys [2006-11-02 17664]
R2 irda;IrDA Protocol; C:\Windows\system32\DRIVERS\irda.sys [2008-01-21 95744]
R2 SSPORT;SSPORT; \??\C:\Windows\system32\Drivers\SSPORT.sys [2007-08-13 5120]
R2 tifsfilter;Acronis True Image FS Filter; C:\Windows\system32\DRIVERS\tifsfilt.sys [2010-04-14 44384]
R3 amdkmdag;amdkmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2010-05-27 5550592]
R3 amdkmdap;amdkmdap; C:\Windows\system32\DRIVERS\atikmpag.sys [2010-05-27 176128]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller; C:\Windows\system32\DRIVERS\l160x86.sys [2007-10-31 46592]
R3 AtiHdmiService;ATI Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\AtiHdmi.sys [2010-03-09 104464]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-05-10 1775712]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys [2006-10-18 7680]
R3 VPCNetS2;Virtual Machine Network Services Driver; C:\Windows\system32\DRIVERS\VMNetSrv.sys [2008-02-05 59960]
R3 VRVD302;VRVD302; C:\Windows\system32\DRIVERS\VRVD302.sys [2008-08-31 11296]
S2 DgiVecp;DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [2007-08-13 41984]
S3 Amusbprt;A4Tech HID-compliant Mouse Driver; C:\Windows\system32\DRIVERS\Amusbprt.sys [2007-05-15 14336]
S3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2010-05-27 5550592]
S3 CrystalSysInfo;CrystalSysInfo; \??\e:\Program Files\MediaCoder\SysInfo.sys []
S3 drmkaud;Dekodér zvuků DRM jádra společnosti Microsoft; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 ENTECH;ENTECH; \??\C:\Windows\system32\DRIVERS\ENTECH.sys [2008-05-29 27672]
S3 esihdrv;esihdrv; \??\C:\Users\Milan\AppData\Local\Temp\esihdrv.sys []
S3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2008-11-11 25280]
S3 HdAudAddService;Ovladač funkce Microsoft 1.1 UAA pro službu zvuku High Definition Audio; C:\Windows\system32\drivers\HdAudio.sys [2009-04-11 236544]
S3 mbr;mbr; \??\C:\Users\Milan\AppData\Local\Temp\mbr.sys []
S3 MSKSSRV;Server proxy služby datových proudů Microsoft; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Server proxy hodin datových proudů Microsoft; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Server proxy správce kvality datových proudů Microsoft; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Konvertor jímka-jímka typu T datových proudů Microsoft; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 PSI;PSI; C:\Windows\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
S3 pwdrvio;pwdrvio; \??\C:\Windows\system32\pwdrvio.sys [2009-12-21 16456]
S3 pwdspio;pwdspio; \??\C:\Windows\system32\pwdspio.sys [2009-12-21 11088]
S3 StarOpen;StarOpen; C:\Windows\system32\drivers\StarOpen.sys [2009-11-12 7168]
S3 STIrUsb;SigmaTel USB-IrDA Dongle; C:\Windows\system32\DRIVERS\irstusb.sys [2008-01-21 30208]
S3 usb_rndisx;Adaptér USB RNDIS; C:\Windows\system32\DRIVERS\usb8023x.sys [2009-04-11 15872]
S3 usbscan;Ovladač skeneru USB; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-21 35328]
S3 WINUSB;Ovladač WinUsb; C:\Windows\system32\DRIVERS\WinUSB.SYS [2009-04-11 31616]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-10-01 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2008-08-30 717296]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-07-03 109056]
R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2008-03-06 427288]
R2 AMD External Events Utility;AMD External Events Utility; C:\Windows\system32\atiesrxx.exe [2010-05-27 172032]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-06-28 40384]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [2010-04-22 1769216]
R2 Irmon;@%SystemRoot%\System32\irmon.dll,-2000; C:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 NMSAccess;NMSAccess; C:\Program Files\CDBurnerXP\NMSAccessU.exe [2010-03-04 71096]
R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2010-03-03 75064]
R2 RapiMgr;@%windir%\WindowsMobile\rapimgr.dll,-104; C:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 TryAndDecideService;Acronis Try And Decide Service; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2008-03-06 495936]
R2 TuneUp.ProgramStatisticsSvc;@%SystemRoot%\System32\TUProgSt.exe,-1; C:\Windows\System32\TUProgSt.exe [2010-04-22 604488]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2004-12-13 49152]
R2 UxTuneUp;@%SystemRoot%\System32\uxtuneup.dll,-4096; C:\Windows\System32\svchost.exe [2008-01-21 21504]
R2 WcesComm;@%windir%\WindowsMobile\wcescomm.dll,-40079; C:\Windows\system32\svchost.exe [2008-01-21 21504]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-06-28 40384]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-06-28 40384]
S2 gupdate1c9de051e6229f3;Google Update Service (gupdate1c9de051e6229f3); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-05-26 133104]
S3 aspnet_state;Stavová služba ASP.NET; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2009-03-30 31048]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-21 21504]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 TuneUp.Defrag;@%SystemRoot%\System32\TuneUpDefragService.exe,-1; C:\Windows\System32\TuneUpDefragService.exe [2010-04-22 361288]

-----------------EOF-----------------

#3 Příspěvek od **motji** » 05 srp 2010 17:18

Dobrý podvečer

Poprosím o tento log C:\ComboFix.txt.
A přečtěte si varování v mém podpise.

sunv · #4 Příspěvek od **sunv** » 05 srp 2010 18:17

Omlouvám se, ale nepochopil jsem to varování? Log jsem dal z RSIT jak je požadováno. A combofix používám už nějaký čas (jestli to bylo myšleno na něj).
Každopádně se prosím nezlobte.
tady je combofix log:
ComboFix 10-08-04.05 - Milan 05.08.2010 13:41:17.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.3326.2495 [GMT 2:00]
Spuštěný z: h:\stahovačka\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 081121-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1229 [VPS 081121-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Vytvořen nový Bod Obnovení
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
c:\windows\system32\Dvbpws.dll
c:\windows\system32\swt-win32-3232.dll

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive2 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-07-05 do 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-05 08:23 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-08-04 22:06 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-07-30 12:19 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-30 09:29 . 2009-11-12 12:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-07-30 09:08 . 2010-07-30 09:08 -------- d-----w- c:\program files\Ashampoo
2010-07-30 08:40 . 2010-03-17 20:53 180224 ----a-w- c:\windows\system32\QTCF.dll
2010-07-25 15:31 . 2010-07-25 15:31 -------- d-----w- c:\users\Milan\AppData\Local\Opera
2010-07-23 11:18 . 2010-08-04 21:42 -------- d-----w- c:\users\Milan\AppData\Roaming\vlc
2010-07-22 19:35 . 2010-07-22 19:35 -------- d-----w- c:\program files\GIMP-2.0
2010-07-22 18:04 . 2010-07-22 19:27 -------- d-----w- c:\users\Milan\.gimp-2.7
2010-07-22 07:04 . 2010-07-22 07:05 -------- d-----w- c:\program files\GIMP 2.7
2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 11:49 . 2009-03-23 10:07 12 ----a-w- c:\windows\bthservsdp.dat
2010-08-05 10:33 . 2008-08-27 19:09 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-05 09:35 . 2010-05-29 17:58 -------- d-----w- c:\program files\Stereoscopic Player
2010-08-05 08:51 . 2008-10-19 17:02 -------- d-----w- c:\users\Milan\AppData\Roaming\Orbit
2010-08-04 18:27 . 2008-09-05 18:27 1356 ----a-w- c:\users\Milan\AppData\Local\d3d9caps.dat
2010-08-04 16:43 . 2008-08-28 08:42 -------- d-----w- c:\users\Milan\AppData\Roaming\skypePM
2010-08-04 11:43 . 2008-08-28 07:33 -------- d-----w- c:\users\Milan\AppData\Roaming\Media Player Classic
2010-08-01 21:22 . 2008-08-28 07:21 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-01 21:22 . 2008-08-27 20:44 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-01 21:16 . 2010-03-07 11:16 1 ----a-w- c:\users\Milan\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-01 16:13 . 2008-01-21 06:46 637432 ----a-w- c:\windows\system32\perfh005.dat
2010-08-01 16:13 . 2008-01-21 06:46 135298 ----a-w- c:\windows\system32\perfc005.dat
2010-08-01 16:11 . 2009-12-15 11:00 -------- d-----w- c:\program files\Xfire
2010-07-30 09:29 . 2010-04-15 08:58 -------- d-----w- c:\program files\CDBurnerXP
2010-07-30 09:25 . 2008-08-27 20:16 -------- d-----w- c:\program files\CCleaner
2010-07-30 09:14 . 2008-09-04 13:25 -------- d-----w- c:\users\Milan\AppData\Roaming\Ashampoo
2010-07-30 08:40 . 2008-10-23 21:57 -------- d-----w- c:\program files\QuickTime Alternative
2010-07-28 15:26 . 2010-04-10 08:24 -------- d-----w- c:\program files\Avidemux 2.5
2010-07-27 10:55 . 2010-03-07 09:43 -------- d-----w- c:\program files\Opera
2010-07-23 13:06 . 2008-08-28 08:13 -------- d-----w- c:\program files\FastStone Image Viewer
2010-07-14 11:07 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-28 20:57 . 2008-08-27 19:10 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2008-08-27 19:10 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2008-08-27 19:10 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2008-08-27 19:10 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2008-08-27 19:10 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-06-28 20:32 . 2008-08-27 19:10 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-22 12:42 . 2008-08-27 18:32 115512 ----a-w- c:\users\Milan\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-19 11:42 . 2008-09-14 10:33 -------- d-----w- c:\programdata\DVD Shrink
2010-06-13 21:31 . 2010-01-25 11:24 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-06-13 21:17 . 2010-06-13 21:17 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-06-02 08:00 . 2010-06-13 21:28 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-05-29 17:58 . 2010-05-29 17:58 25214 ----a-r- c:\users\Milan\AppData\Roaming\Microsoft\Installer\{37B1F7CD-13E4-47DA-9E84-51AD6972ADC5}\_C8C2C130E39E5041651088.exe
2010-05-29 17:58 . 2010-05-29 17:58 25214 ----a-r- c:\users\Milan\AppData\Roaming\Microsoft\Installer\{37B1F7CD-13E4-47DA-9E84-51AD6972ADC5}\_C3E7546297024A7EDF9247.exe
2010-05-29 17:58 . 2010-05-29 17:58 25214 ----a-r- c:\users\Milan\AppData\Roaming\Microsoft\Installer\{37B1F7CD-13E4-47DA-9E84-51AD6972ADC5}\_6FEFF9B68218417F98F549.exe
2010-05-27 19:39 . 2010-05-27 19:39 5550592 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-05-27 19:17 . 2010-05-27 19:17 15024128 ----a-w- c:\windows\system32\atioglxx.dll
2010-05-27 19:16 . 2010-05-27 19:16 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-05-27 19:16 . 2010-05-05 02:19 506880 ----a-w- c:\windows\system32\aticfx32.dll
2010-05-27 19:13 . 2010-05-27 19:13 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-05-27 19:13 . 2010-05-27 19:13 372736 ----a-w- c:\windows\system32\atieclxx.exe
2010-05-27 19:12 . 2010-05-27 19:12 172032 ----a-w- c:\windows\system32\atiesrxx.exe
2010-05-27 19:11 . 2010-05-27 19:11 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-05-27 19:11 . 2010-05-27 19:11 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2010-05-27 19:11 . 2010-05-27 19:11 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2010-05-27 19:11 . 2010-05-27 19:11 11776 ----a-w- c:\windows\system32\atimuixx.dll
2010-05-27 19:11 . 2010-05-27 19:11 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-05-27 19:08 . 2010-05-27 19:08 3609600 ----a-w- c:\windows\system32\atidxx32.dll
2010-05-27 18:51 . 2010-05-27 18:51 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-05-27 18:51 . 2010-05-27 18:51 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-05-27 18:51 . 2008-08-21 13:56 3788288 ----a-w- c:\windows\system32\atiumdag.dll
2010-05-27 18:50 . 2010-05-27 18:50 4022272 ----a-w- c:\windows\system32\aticaldd.dll
2010-05-27 18:47 . 2010-03-03 03:23 50176 ----a-w- c:\windows\system32\coinst.dll
2010-05-27 18:47 . 2010-05-27 18:47 3015680 ----a-w- c:\windows\system32\atiumdva.dll
2010-05-27 18:39 . 2010-05-27 18:39 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2010-05-27 18:39 . 2010-05-27 18:39 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-05-27 18:39 . 2010-05-27 18:39 15360 ----a-w- c:\windows\system32\atigktxx.dll
2010-05-27 18:39 . 2010-05-27 18:39 176128 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-05-27 18:38 . 2010-05-27 18:38 28160 ----a-w- c:\windows\system32\atiuxpag.dll
2010-05-27 18:38 . 2010-03-03 03:06 20480 ----a-w- c:\windows\system32\atiu9pag.dll
2010-05-27 18:38 . 2010-03-03 03:06 23040 ----a-w- c:\windows\system32\atitmpxx.dll
2010-05-27 18:37 . 2010-05-27 18:37 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-05-27 18:36 . 2010-05-27 18:36 52224 ----a-w- c:\windows\system32\atimpc32.dll
2010-05-27 18:36 . 2010-05-27 18:36 52224 ----a-w- c:\windows\system32\amdpcom32.dll
2010-05-26 17:06 . 2010-06-08 18:25 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-08 18:25 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 12:14 . 2009-10-03 13:12 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-16 08:31 . 2010-05-16 08:31 4382720 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\lauren.tls.dll
2010-05-16 08:29 . 2010-05-16 08:29 16384 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\beh.tla.dll
2010-05-10 18:49 . 2010-05-10 18:49 711168 ----a-w- c:\windows\isRS-000.tmp
2010-05-10 12:43 . 2009-04-01 19:28 115896 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-24 17:22 . 2009-03-24 17:22 272896 ----a-w- c:\program files\Common Files\kg.exe
2006-05-03 10:06 . 2010-01-23 15:43 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2010-01-23 15:43 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 13:30 . 2010-01-23 15:43 216064 --sh--r- c:\windows\System32\nbDX.dll
2008-08-21 13:51 . 2008-08-21 13:51 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-25 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-27 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-04-22 2029456]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-07-04 109056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-03-06 910744]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2010-06-28 20:57 2837864 ----a-w- c:\progra~1\ALWILS~1\Avast5\AvastUI.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"WinFast Schedule"=c:\program files\WinFast\WFDTV\WFWIZ.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinFastDTV"=c:\program files\WinFast\WFDTV\DTVSchdl.exe
"Windows Mobile Device Center"=%windir%\WindowsMobile\wmdc.exe
"TrueImageMonitor.exe"=c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):fe,65,2c,af,24,fa,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1617985853-1512789681-1251605036-1000]
"EnableNotificationsRef"=dword:00000001

R2 gupdate1c9de051e6229f3;Google Update Service (gupdate1c9de051e6229f3);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 133104]
R3 esihdrv;esihdrv;c:\users\Milan\AppData\Local\Temp\esihdrv.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2009-12-21 16456]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2009-12-21 11088]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-08-30 717296]
S0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-02-03 40560]
S1 aswSP;aswSP; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-04-22 218560]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-04-22 30112]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-27 172032]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2007-08-13 5120]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-05-27 5550592]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-05-27 176128]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x86.sys [2007-10-31 46592]
S3 VRVD302;VRVD302;c:\windows\system32\DRIVERS\VRVD302.sys [2008-08-31 11296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 13:22]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 13:22]

2010-07-14 c:\windows\Tasks\User_Feed_Synchronization-{60B2397D-7A44-434C-B979-0497A9FA82BA}.job
- c:\windows\system32\msfeedssync.exe [2010-06-08 04:30]

2010-08-01 c:\windows\Tasks\Úklid 1 kliknutím.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-11-16 14:43]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.centrum.cz/
uInternet Settings,ProxyServer = 10.0.14.1:3128
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
TCP: {B34111F9-934E-414C-A437-0D91D4D067C2} = 212.71.128.9
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 13:51
Windows 6.0.6002 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory:

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,1e,ca,a3,86,3d,2d,40,89,d4,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,1e,ca,a3,86,3d,2d,40,89,d4,8c,\

[HKEY_USERS\S-1-5-21-1617985853-1512789681-1251605036-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1617985853-1512789681-1251605036-1000\Software\SecuROM\License information*]
"datasecu"=hex:33,31,17,09,6e,06,be,63,31,47,4b,4a,b1,a3,a5,81,ad,d7,b6,9f,37,
7f,e1,85,95,6e,38,53,e0,1d,e6,2d,d3,95,95,df,bf,e4,29,2d,8b,64,4e,80,b5,6f,\
"rkeysecu"=hex:1a,16,c6,3f,ea,93,cc,f7,a3,06,dc,c8,66,5a,46,97
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(3968)
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\atieclxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\System32\TUProgSt.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\program files\Alwil Software\Avast5\AvastUI.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Celkový čas: 2010-08-05 13:57:36 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-08-05 11:57

Před spuštěním: Volných bajtů: 55 693 082 624
Po spuštění: Volných bajtů: 55 535 734 784

Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 28C6CBFA219FC11EF3DD686915FAEDC2

PS:Jestli jste z Hané, tak to jsme možná kousek od se

#5 Příspěvek od **motji** » 05 srp 2010 19:24

Ano, to varování patřilo k combofixu.
Občas má combofix bug a může smazat i systémové soubory, v ojedinělých případech už systém nenabootuje. Rádce ví, kde si combofix ukládá zálohy registrů a jak to opravit.
Pokud nám sem dávate log ze Rsitu po použití combofixu, tak combofix smaže stopy po havěti, takže log ze Rsitu už je čistý, ale pc být čistý nemusí.
Combofix sice smaže soubory, které má v databázi, ale ty novější mít nemusí...rádce však z logu může spoustu věcí vyčíst.

Já v logu vidím, že combofix opravit nového Mbr rootkita, tajkže Vám doporučím změnit všechna hesla, která jste na pc používal, až to tu spolu dokončíme.
A podíváme se, jestli je všechno pryč.

Otestujte na www.virustotal.com

c:\program files\Common Files\kg.exe
c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\beh.tla.dll

-Do okénka zkopírujte cestu k souboru , pokud napíše, že soubor byl už testován, dejte otestovat znovu.
-sem vložte link s výsledky

stáhněte MBR
http://www2.gmer.net/mbr/mbr.exe
-uložte ho na plochu a spusťte
-vytvoří se log s názvem mbr.log, vložte ho zde

Stáhněte Bootkit Remover http://www.esagelab.com/files/bootkit_remover.rar
-uložte ho na plochu a spusťte
- pravým tlačítkem myši klikněte do černého okna, zvolte Vybrat vše, stiskněte CTRL+C a pak zde na foru CTRL+V.

Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, klikněte na Save a tím si uložíte log,který sem vložíte

-Podle návodu v odkazu provedete druhý sken a log sem také vložíte.

A z Hané jsem

sunv · #6 Příspěvek od **sunv** » 05 srp 2010 20:57

Mbr jsem jsem měl upraven v EasyBCD když jsem testoval Win7 beta a linux, po chybách z nestandart vypnutím se načetlo staré mbr s win7, tedy jsem ho znovu měnil, možná proto combofix udělalo další změnu?... Co myslíte, je to možné?
K tomu tune up, pomocí nej jsem měl jiné logo, přihlašování apod.. nedoporučuji to dělat, některé aktualizace microsoftu si s tím neporadí a systém ani nenabootuje (stejná zkušenost i v XP). to jen ,třebas to u někoho využijete.

test:
http://www.virustotal.com/cs/analisis/7 ... 1281035418
a
http://www.virustotal.com/cs/analisis/3 ... 1281036464

mbr:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 9 !

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;
Press any key to quit...

1scan:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-08-05 21:42:55
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Milan\AppData\Local\Temp\aglcypow.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x92134B9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- EOF - GMER 1.0.15 ----

2scan:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-05 21:47:56
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Milan\AppData\Local\Temp\aglcypow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0x917CC9B6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAlpcConnectPort [0x917CDD34]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAlpcCreatePort [0x917CCBA2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0x917CBCF0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0x917CC61C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0x917CBBCC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0x917CC3B2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0x917CD9C4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0x917CB710]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0x917CB542]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0x917CD600]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0x917CBF8C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0x917CC7F8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0x917CB226]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0x917CC23C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0x917CB3BE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0x917CD094]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0x917CD348]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0x917CD7CC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0x917CBF26]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0x917CC128]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0x917CBA6A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0x917CB910]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThreadEx [0x917CCCB2]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x92134B9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 119 832E387C 4 Bytes [B6, C9, 7C, 91] {MOV DH, 0xc9; JL 0xffffffffffffff95}
.text ntkrnlpa.exe!KeSetEvent + 13D 832E38A0 8 Bytes [34, DD, 7C, 91, A2, CB, 7C, ...]
.text ntkrnlpa.exe!KeSetEvent + 1C1 832E3924 4 Bytes [F0, BC, 7C, 91]
.text ntkrnlpa.exe!KeSetEvent + 1D9 832E393C 4 Bytes [1C, C6, 7C, 91] {SBB AL, 0xc6; JL 0xffffffffffffff95}
.text ntkrnlpa.exe!KeSetEvent + 205 832E3968 4 Bytes [CC, BB, 7C, 91]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8340E28F 5 Bytes JMP 921305B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 83467038 5 Bytes JMP 92131F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 834C8892 7 Bytes JMP 92134BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F80B000, 0x2FBFB8, 0xE8000020]
? C:\Users\Milan\AppData\Local\Temp\mbr.sys Systém nemůže nalézt uvedený soubor. !
? C:\ComboFix\catchme.sys Systém nemůže nalézt uvedenou cestu. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS Systém nemůže nalézt uvedený soubor. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1352] ntdll.dll!NtAllocateVirtualMemory 77734134 5 Bytes JMP 004EF2F0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] ntdll.dll!NtAllocateVirtualMemory 77734134 5 Bytes JMP 006E7F00 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[964] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00060002
IAT C:\Windows\system32\services.exe[964] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00060000
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [0053D850] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [0053D930] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateThread] [0053CF40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleHandleA] [0053D930] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [0053D8E0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [0053CF40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [0053D850] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [0053D850] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [0053CF40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\IPHLPAPI.DLL [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\IPHLPAPI.DLL [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!GetModuleHandleA] [0053D930] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [0053CF40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [0053D8E0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [0053D850] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [0053D850] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [0053D850] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0053CF40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleHandleA] [0053D930] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [0053D8E0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!DeleteObject] [0053C6A0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [0053C640] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!RegisterClassW] [0053D090] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!RegisterClassA] [0053CFD0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [0053CB30] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [0053CAA0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSystemMetrics] [0053D150] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [0053D8E0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CreateThread] [0053CF40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [0053D850] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!DeleteObject] [0053C6A0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AdjustWindowRectEx] [0053D410] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!CallWindowProcW] [0053C960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetScrollInfo] [0053C8F0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!SystemParametersInfoW] [0053D2D0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DrawEdge] [0053D5C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DrawFrameControl] [0053D610] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [0053C6F0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [0053C640] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!RegisterClassW] [0053D090] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!FillRect] [0053D540] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [0053CB30] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSystemMetrics] [0053D150] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!SetScrollInfo] [0053C7E0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [GDI32.dll!DeleteObject] [0053C6A0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!CreateThread] [0053CF40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [0053D8E0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [0053D850] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [USER32.dll!SystemParametersInfoW] [0053D2D0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [USER32.dll!GetSystemMetrics] [0053D150] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [USER32.dll!GetSysColor] [0053C640] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [USER32.dll!CallWindowProcW] [0053C960] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [USER32.dll!RegisterClassW] [0053D090] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\ole32.dll [USER32.dll!DefWindowProcW] [0053CB30] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!CreateThread] [0053CF40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [0053D8E0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetModuleHandleA] [0053D930] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!CreateThread] [0053CF40] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [0053D9C0] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
IAT C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2772] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [0053D810] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0xBB 0xBA 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0xFA 0x24 0x6D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0xBE 0xEC 0x24 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0xBB 0xBA 0x0D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0xFA 0x24 0x6D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0xBE 0xEC 0x24 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0xBB 0xBA 0x0D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0xFA 0x24 0x6D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0xBE 0xEC 0x24 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0xBB 0xBA 0x0D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0xFA 0x24 0x6D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0xBE 0xEC 0x24 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0xBB 0xBA 0x0D ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0xFA 0x24 0x6D ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0xBE 0xEC 0x24 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0xBB 0xBA 0x0D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0xFA 0x24 0x6D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0xBE 0xEC 0x24 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

---- EOF - GMER 1.0.15 ----

Kruci toho je. Musím se přiznat, že až na toho kg.exe mě to připadá ok, (ale já jsem amatér)? Jak jste na nej přišla ?

#7 Příspěvek od **motji** » 05 srp 2010 21:15

Soubor kg.exe neznám a google ho taky moc nezná, ale naznačuje, že by mohlo jít o vir

.

Vy jste asi docela znalec přes počítače

.

Abych si to ujasnila. Kolik máte disků a operačních systémů? Combofix opravoval 3 disky, Bootkit remover tu však vidí jen jeden.

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Tohle je jaký Os?

Stáhněte HxD portable http://mh-nexus.de/en/downloads.php?product=HxD
-uložte ho na plochu
-rozbalte ho a program uložte přímo na disk C
-spustte ho
-klikněte na otevřít disk - zvolte pevné disky(fyzické disky) (nepoplette to)
-vyberte pevný disk 1
-do nabídky napište, který sektor chcete otevřít, potvrdíte enter, a budete přímo v tom sektoru
-napište mi, co máte na sektoru 9, zkopírujte to zde (ať máme zálohu)
-podívejte se, co máte na sektorech 1-62

Aby jste měl představu, co hledat, takto vypadá můj 60.sektor, měly by tak vypadat všechny od 1-62, ale Vy je tak mít pravděpodobně nebudete.

Obrázek

sunv · #8 Příspěvek od **sunv** » 05 srp 2010 22:42

Nyní používám jen Vista Home Premium (3 roky bez reinstalu můj rekord

), protože linuxy používají svůj zavaděč např Grub, dávám zavaděče na jiné disky než c: protože často měním linux a nebo při chybě hned obnovuji mbr aby aspoň system jel.(příkazová řádka a angl. je pro mě španělská vesnice)

Fyzické disky mám 3 ks 500, 160 a 200 GB (+ 500GB externi na zalohy)

sector 9:

Prý znalec, Vy se mi smějete? Asi jo, máte recht jinak bych tu vlastně nebyl... Ale říkám ty věci kolem toho jen aby byl lepší obraz co se stalo.
Zkoušel jsem restart a jedna aplikace nebyla zase dokončená (nestihl jsem přečíst), po startu 62 procesů, ten prokletý iexplore nikde, takže by to mělo být ok
Asi bych měl něco udělat s mbr, že? Vista tam s tím zkušenosti moc nemám v XP to byla hračka.
Moc Vám Jitko děkuji za pomoc

#9 Příspěvek od **motji** » 05 srp 2010 22:47

A měl jste ty disky připojené při skenu bootkit removerem?

znovu spustte HxD
klikněte na otevřít disk - zvolte pevné disky(fyzické disky) (nepoplette to)
-vyberte pevný disk 1
-ze čtverečku odkliknete fajfku jen pro čtení
- otevře se program v edit modu
-najdete sektor 9
-označte myšítkem celý sektor 9 (můžete si čísílka zkopírovat a uložit v notepadu, kdyby se něco nepovedlo, vrátíte je zpět)
-zvolte možnost vyplnit výběr (3. možnost odspodu mezi dvěma čarami,) otevřou se přednastavené hodnoty ( 00 00 00...)
-potvrdíte Ok
-zavřete program, potvrdíte změnu.
-pak restartujte počítač a zkontrolujte, zda je sektor přepsaný.

Spusťte znovu Mbr.exe a vložte zde log

Ale koukám, že máte něco i na sektoru 10..můžete mi napsat, jak vypadají sektory 1-62?
Jinak tohle už je spíš kosmetická uprava, mbr rootkit by měl být fuč.

sunv · #10 Příspěvek od **sunv** » 05 srp 2010 23:38

No tak jsem si hrál s mbr a zrušil jsem ho... zasloužím pár facek, takovej jsem fracek
vytvořil jsem tedy pomocí instal cd nový mbr

tak ta hatmatilka je od1 až po 51 sector

tady je tedy sector 9:
3ŔŽĐĽ.|ŽŔŽŘľ.|ż..ą..üó¤Ph..Ëűą..˝ľ.€~..|..…...Ĺ.âńÍ..V.UĆF..ĆF..´A»ŞUÍ.]r..űUŞu.÷Á..t.ţF.f`€~..t&fh....f˙v.h..h.|h..h..´BŠV.‹ôÍ.ź.Ä.žë.¸..».|ŠV.Šv.ŠN.Šn.Í.fas.ţN.u.€~.€.„Š.˛€ë„U2äŠV.Í.]ëž.>ţ}UŞun˙v.čŤ.u.ú°Ńćdč..°ßć`č|.°˙ćdču.ű¸.»Í.f#Ŕu;f.űTCPAu2.ů..r,fh.»..fh....fh....fSfSfUfh....fh.|..fah...Í.Z2öę.|..Í. ·.ë. ¶.ë. µ.2ä...‹đ¬<.t.»..´.Í.ëňôëý+Éädë.$.ŕř$.ĂInvalid partition table.Error loading operating system.Missing operating system...c{š......€....ţ˙˙?...$.k..ţ˙˙'ţ˙˙.0>9..ú..ţ˙˙.ţ˙˙c.k.ť.Ó&................UŞ

tday je mbr:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 9 !

mám tedy ještě udělat tu akci HxD ?

Přeji Vám dobrou noc. Vytáhl jsem Vás přesčas.

#11 Příspěvek od **motji** » 05 srp 2010 23:41

jak zrušil? Co jste dělal? Já chtěla jen opravit 9.sektor

No ale aspon máte jistotu, že 0. sektor máte už čistý

.

Hatmatilka nás nezajímá, nás zajímají čísilka

Ten 9.sektor opravte na 0, jak jsem psala výš, na hatmatilku nechytejte

sunv · #12 Příspěvek od **sunv** » 06 srp 2010 00:16

No co Vám budu povídat. aktualizoval jsem EasyBCD 2.0.2 a vše ok, kontroluju co to vyčetlo disk, čekání při výběru apod... Jenže jak jsem psal víše angl. špan. ves. na něco sem chňápnul a vehópl error, tak si řikám načtu to ze zálohy bude, zkouška reset a ... nic. Inst. DVD vše opravilo.

Ještě k těm čisilkum v sectoru 9 , když to dám nuly nezblbne to? Ony jsou ty čisla všude nadivoko. od sectoru o až po nějaký 700miliontý sector, ale třeba sector 57-61 jsou samé 00
Ten disk by zasloužil sformátovat.

A ten log mbr výše je ten nový a je uplně stejný jako starý, nevíte proč se zase šupl na sector9?

#13 Příspěvek od **motji** » 06 srp 2010 07:46

Jste určitě na fyzickém disku?
0. sektor - na ten nechytat, z toho systém startuje, tam 0 nejsou
0-60. sektor - tam by 0 být měli, ale nemusí vždy.
Vy máte Visty a tam je to možná trošku jinak než u xp. Když si čísílka z 9. sektoru uložíte v notepadu, tak pokud by byli nějaké problémy, dá se to opravit zpět.

sunv · #14 Příspěvek od **sunv** » 06 srp 2010 09:51

Ano na fyzickém disku jsem. A díval jsemi na zbylé dva, z nich jsem poznal, který je který. Totiž ten "náš" má informace o mbr a další o grubu což souhlasí. Všechny mají místo nul šíleny čisla (výše ten obrázek).
Jo a omlouvám se zapomněl jsem zmínit, že na disku je skrytá partition s instalací systému od výrobce.

Zkusím systémovou kontrolu disku.
Myslíte, tedy, že je jinak PC čisté? Mám znovu dát log? Nebo třeba ESET Mebroot Remover a skener Cure It ?
Já jsem trochu paranoidní v oblasti bezpečnosti. Už jsem pár PC čištil, ale tak podrobně až po sektorech disku ještě ne. Máte můj veliký obdiv.

#15 Příspěvek od **motji** » 06 srp 2010 09:58

Čisté by to mělo být, bootovací sektor jste si koneckonců už opravil sám

.
V gmeru také nění po Mbr rootkitu zmínka, pouze ta 09 je taková kosmetická záležitost

Já bych na to asi raději nechytala, ať ještě nepřijdete o nějaká data.
Uděláme combofix a webcureit, ten je na tuhle infekci také dobrý, uvidíme, jestli ještě něco najde.
ESET Mebroot Remover nemusíte, bootkit remocer žádnou infekci neodhalil.
Váš obdiv mít nemusím, dívám se, že se v tom vyznáte

.

Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka

Kód: Vybrat vše

Collect::
c:\program files\Common Files\kg.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1617985853-1512789681-1251605036-1000]
"EnableNotificationsRef"=dword:00000000

FixCSet::

-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:

Obrázek

-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

Stahněte dr. Web CureIt http://www.viry.cz/forum/viewtopic.php?f=29&t=47721
-udělejte sken , co najde nechte léčit, smazat
-sken může trvat několik hodin
-Soubor/Uložit výsledky - uložíte jako textovy soubor a zkopírujete zde

VIRY.CZ

Prosím o kontrolu po opravě a čištění

Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění

Re: Prosím o kontrolu po opravě a čištění