VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

Rootkit.win32.TDSS.ap

https://forum.viry.cz:443/viewtopic.php?t=107900

Stránka 1 z 2

Rootkit.win32.TDSS.ap

Napsal: 27 pro 2010 15:59
od pavel.roszler
Přeji pěkný den
Kdysi jsem tu řešil, jednu chybovou hlášku win generic host process ohlásil chybu atd. Notebook měl problémy se zvukovou kartou, nastavením sítě a pod. Nešel mi spustit Spyboot ani Combofix a téma zmizelo z fóra. Zkusil jsem tedy nejprve nějakou bootovací verzi AVG a našel isapnp.sys neuměl ho vyléčit a jen nakopírovat nový soubor nestačilo vždy se vrátil ten nakažený, měl jinou velikost než ten nenakažený. Tak jsem našel Kasperski rescue cd, vyšlo v Chipu. Po nabootování si stáhl aktualizace a našel opět isapnp.sys s tím že je nakažen Rootkit win32.TDSS.ap, po desinfekci se hláška o chybě systému už neobjevila, soubor šel přepsat tím nenakaženým, šel spustit i Spyboot.
Chtěl bych vědět co ta potvora všechno uměla, případně čím ještě notebook oscanovat.
Na notebooku běží NOD32 pravidelně se aktualizuje, přesto potvorák pronikl.

Re: Rootkit.win32.TDSS.ap

Napsal: 27 pro 2010 16:30
od Diallix
Pekny den.

Takze, malware uz v pc nie je ?

Ono je lepsie, ked sa tu poradite s niekym ako postupovat, ako stahovat live cd a podobne, co by mohlo usetrit kopec casu.

Mozem poprosit o log z RSITU?

Re: Rootkit.win32.TDSS.ap

Napsal: 28 pro 2010 09:50
od pavel.roszler
Doufám ,že už je to v pohodě, log je níže. Já jsem zde ten problém zkoušel řešit,ale byl jsem mimo ČR, internet nic moc, a to co mi radili spustit combofix tak to nešlo. To live CD vyšlo v chipu takže jsem ho našel doma. Občas mám radost když na něco příjdu sám.
Dík Pavel
Logfile of random's system information tool 1.06 (written by random/random)
Run by PRO at 2010-12-28 09:43:36
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 10 GB (32%) free of 31 GB
Total RAM: 958 MB (27% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:08, on 28.12.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AuditPro\Scan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\sttray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\totalcmd\TOTALCMD.EXE
D:\Dokumenty\návody\RSIT.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\trend micro\PRO.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatc ... &%language
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx ... =11&lng=cs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_custom ... tbid=80096
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx ... =11&lng=cs
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_custom ... tbid=80096
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program

Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: VMN Toolbar - {A057A204-BACC-4D26-8287-79A187E26987} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: (no name) - {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - C:\Program Files\BS.Player ControlBar\BSToolbar.dll
O3 - Toolbar: VMN Toolbar - {A057A204-BACC-4D26-8287-79A187E26987} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O3 - Toolbar: (no name) - {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/Juni ... Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pce.era.cz
O17 - HKLM\Software\..\Telephony: DomainName = pce.era.cz
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4B99A69-80BB-4EBE-9009-F97D2C9AED28}: NameServer = 8.8.8.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pce.era.cz
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pce.era.cz
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = pce.era.cz
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = pce.era.cz
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: x-wpexpert - {382E05AF-964B-41CE-B2B5-ED0BF48013C0} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AuditPro Scan - truconneXion, a. s. - C:\AuditPro\Scan.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11452 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-05-30 312928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-8287-79A187E26987}]
VMN Toolbar - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL [2007-09-24 1966080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-11-24 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-11-24 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2C688203-7EB3-4327-9995-1CB417BA23F9} - BS.Player ControlBar - C:\Program Files\BS.Player ControlBar\BSToolbar.dll [2008-10-08 859592]
{A057A204-BACC-4D26-8287-79A187E26987} - VMN Toolbar - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL [2007-09-24 1966080]
{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Apoint"=C:\Program Files\Apoint\Apoint.exe [2007-04-15 159744]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2007-03-16 1392640]
"Document Manager"=C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe [2006-09-08 102400]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [2006-09-25 90112]
"KADxMain"=C:\WINDOWS\system32\KADxMain.exe [2006-11-02 282624]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-09-01 1461080]
"BrMfcWnd"=C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2008-02-19 1089536]
"ControlCenter3"=C:\Program Files\Brother\ControlCenter3\brctrcen.exe [2007-12-21 86016]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]
"IDTSysTrayApp"=C:\WINDOWS\sttray.exe [2007-09-05 405504]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-05-10 405504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti Trojan Elite]
C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XYWVBK"=3
"WMPNetworkSvc"=3
"stllssvr"=3
"SR_WatchDog"=3
"SR_Service"=3
"ServiceLayer"=3
"rpcapd"=3
"PSI_SVC_2"=2
"ose"=3
"NcpSec"=2
"idsvc"=3
"HNetInfo FTP Server"=3
"gupdate"=2
"DWMRCS"=2

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-04-24 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr]
C:\WINDOWS\system32\avldr.dll [2007-02-15 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify]
C:\WINDOWS\system32\ckpNotify.dll [2004-07-19 24681]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekp84.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kqv74.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxd63.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Ekp84.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Kqv74.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Qxd63.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"disablecad"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDesktopCleanupWizard"=1
"ForceRunOnStartMenu"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoMSAppLogo5ChannelNotify"=
"NoPublishingWizard"=
"NoWebServices"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"F:\komuni\komuni\Portable Skype\skype\Skype.exe"="F:\komuni\komuni\Portable Skype\skype\Skype.exe:*:Enabled:Skype"
"C:\Program Files\ICQ6\ICQ.exe"="C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe"="C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe:*:Enabled:Nero Home"
"C:\totalcmd\TOTALCMD.EXE"="C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\Program Files\Lantronix\DeviceInstaller\DeviceInstaller.exe"="C:\Program Files\Lantronix\DeviceInstaller\DeviceInstaller.exe:*:Enabled:DeviceInstaller"
"C:\Program Files\HNetInfo2\HServer\HServer.exe"="C:\Program Files\HNetInfo2\HServer\HServer.exe:*:Enabled:HNetInfo FTP Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe"="C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe:*:Enabled:NinjaTrader application"
"D:\Nová složka\Repair.exe"="D:\Nová složka\Repair.exe:*:Enabled:Blizzard Repair Utility"
"D:\Program Files\Counter-Strike\hl.exe"="D:\Program Files\Counter-Strike\hl.exe:*:Enabled:Half-Life Launcher"
"D:\Program Files\Counter-Strike\hlds.exe"="D:\Program Files\Counter-Strike\hlds.exe:*:Enabled:HLDS Launcher"
"D:\Program Files\Counter-Strike\cstrike.exe"="D:\Program Files\Counter-Strike\cstrike.exe:*:Enabled:Counter-Strike Launcher"
"D:\Program Files\Counter-Strike Source\hl2.exe"="D:\Program Files\Counter-Strike Source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ6\ICQ.exe"="C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ Library"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\ERA\SepHme\Sep.exe"="C:\Program Files\ERA\SepHme\Sep.exe:*:Enabled:SEP"
"C:\Program Files\ERA\display_4.2.5.0\Display.exe"="C:\Program Files\ERA\display_4.2.5.0\Display.exe:*:Enabled:Display"
"C:\Program Files\Lantronix\DeviceInstaller\DeviceInstaller.exe"="C:\Program Files\Lantronix\DeviceInstaller\DeviceInstaller.exe:*:Enabled:DeviceInstaller"
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite

XII.SP1\Win32\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
"C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe"="C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe:*:Enabled:NinjaTrader application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:SR_GUI"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"G:\LKPR\LCMS\CMS\display\Display.exe"="G:\LKPR\LCMS\CMS\display\Display.exe:*:Enabled:Display"
"C:\Program Files\ERA\Analyz_3.27\Analys.exe"="C:\Program Files\ERA\Analyz_3.27\Analys.exe:*:Enabled:Analys"
"G:\P3D_AS_Praha_Pripojeni_adresy\Danware Data\NetOp Remote Control\Guest\NGSTW32.EXE"="G:\P3D_AS_Praha_Pripojeni_adresy\Danware Data\NetOp Remote

Control\Guest\NGSTW32.EXE:*:Enabled:NetOp 32 Guest Application."
"C:\Program Files\VertrigoServ\Mysql\bin\v_mysqld.exe"="C:\Program Files\VertrigoServ\Mysql\bin\v_mysqld.exe:*:Enabled:v_mysqld"
"C:\Program Files\VertrigoServ\Apache\bin\v_apache.exe"="C:\Program Files\VertrigoServ\Apache\bin\v_apache.exe:*:Enabled:Apache HTTP Server"
"C:\totalcmd\TOTALCMD.EXE"="C:\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Lantronix\DeviceInstaller4.3\DeviceInstaller.exe"="C:\Program

Files\Lantronix\DeviceInstaller4.3\DeviceInstaller.exe:*:Enabled:DeviceInstaller"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\Program Files\Google\Google Earth\client\googleearth.exe"="C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b5e05ea-ecca-11df-915c-001a6b441fd4}]
shell\AutoRun\command - G:\AutoRun.exe


======List of files/folders created in the last 1 months======

2010-12-26 20:48:40 ----A---- C:\WINDOWS\system32\javaws.exe
2010-12-26 20:48:40 ----A---- C:\WINDOWS\system32\javaw.exe
2010-12-26 20:48:40 ----A---- C:\WINDOWS\system32\java.exe
2010-12-25 19:44:17 ----AD---- C:\Kaspersky Rescue Disk 10.0
2010-12-11 07:21:40 ----D---- C:\Program Files\Common Files\Skype
2010-12-04 07:19:05 ----D---- C:\spoolerlogs
2010-12-03 10:48:01 ----D---- C:\WINDOWS\pss
2010-12-03 09:19:25 ----HD---- C:\WINDOWS\system32\dwrcssft
2010-12-03 09:19:23 ----A---- C:\WINDOWS\system32\DWRCST.EXE
2010-12-03 09:19:23 ----A---- C:\WINDOWS\system32\DWRCSh32.dll
2010-12-03 09:19:23 ----A---- C:\WINDOWS\system32\DWRCSET.DLL
2010-12-03 09:19:23 ----A---- C:\WINDOWS\system32\DWRCK.DLL
2010-12-03 09:19:21 ----A---- C:\WINDOWS\system32\DWRCS.EXE
2010-12-02 08:22:53 ----D---- C:\Program Files\Microsoft Silverlight

======List of files/folders modified in the last 1 months======

2010-12-28 09:43:41 ----D---- C:\Program Files\trend micro
2010-12-28 09:43:39 ----D---- C:\WINDOWS\Prefetch
2010-12-28 09:42:20 ----A---- C:\WINDOWS\wincmd.ini
2010-12-28 09:41:48 ----D---- C:\WINDOWS\Temp
2010-12-28 09:30:50 ----D---- C:\WINDOWS
2010-12-28 09:29:51 ----A---- C:\WINDOWS\ModemLog_Nokia 6103 Bluetooth Modem.txt
2010-12-28 09:29:51 ----A---- C:\WINDOWS\ModemLog_Conexant HDA D330 MDC V.92 Modem.txt
2010-12-27 16:45:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-12-27 09:15:43 ----D---- C:\WINDOWS\system32\CatRoot2
2010-12-26 20:49:03 ----SHD---- C:\WINDOWS\Installer
2010-12-26 20:49:03 ----D---- C:\Config.Msi
2010-12-26 20:48:40 ----D---- C:\WINDOWS\system32
2010-12-26 20:48:37 ----D---- C:\Program Files\Java
2010-12-26 18:01:07 ----D---- C:\Program Files\QuickTime
2010-12-26 12:38:50 ----D---- C:\Program Files\Adobe
2010-12-25 21:17:03 ----D---- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2010-12-25 21:10:09 ----RSHD---- C:\WINDOWS\system32\dllcache
2010-12-25 21:10:04 ----D---- C:\WINDOWS\system32\drivers
2010-12-25 16:28:14 ----SHD---- C:\System Volume Information
2010-12-25 16:28:14 ----D---- C:\WINDOWS\system32\Restore
2010-12-25 09:08:05 ----A---- C:\WINDOWS\ntbtlog.txt
2010-12-24 07:30:37 ----SHD---- C:\WINDOWS\CSC
2010-12-21 06:42:12 ----RD---- C:\Program Files
2010-12-21 05:38:12 ----AC---- C:\WINDOWS\hcomw32.ini
2010-12-21 05:28:16 ----A---- C:\WINDOWS\dload32.INI
2010-12-21 05:28:16 ----A---- C:\WINDOWS\COMWRK32.INI
2010-12-21 04:03:57 ----D---- C:\Documents and Settings\PRO\Data aplikací\XnView
2010-12-20 13:19:27 ----D---- C:\Documents and Settings\PRO\Data aplikací\Skype
2010-12-20 11:05:31 ----D---- C:\Documents and Settings\PRO\Data aplikací\skypePM
2010-12-11 22:10:32 ----D---- C:\Program Files\Mozilla Firefox
2010-12-11 07:21:40 ----RD---- C:\Program Files\Skype
2010-12-11 07:21:40 ----D---- C:\Program Files\Common Files
2010-12-11 07:21:21 ----D---- C:\Documents and Settings\All Users\Data aplikací\Skype
2010-12-09 01:23:44 ----HD---- C:\WINDOWS\inf
2010-12-08 12:21:24 ----ASH---- C:\boot.ini
2010-12-08 12:21:22 ----A---- C:\WINDOWS\win.ini
2010-12-08 12:21:22 ----A---- C:\WINDOWS\system.ini
2010-12-06 07:55:53 ----A---- C:\WINDOWS\BRWMARK.INI
2010-12-06 07:55:53 ----A---- C:\WINDOWS\BRPP2KA.INI
2010-12-06 06:52:51 ----D---- C:\WINDOWS\security
2010-12-05 08:08:26 ----A---- C:\WINDOWS\WTRAN32.INI
2010-12-03 10:51:54 ----D---- C:\Program Files\Common Files\Autodesk Shared
2010-12-03 10:51:54 ----D---- C:\Documents and Settings\All Users\Data aplikací\Autodesk
2010-12-03 10:51:28 ----RSD---- C:\WINDOWS\assembly
2010-12-02 08:26:07 ----D---- C:\Program Files\Internet Explorer
2010-12-02 08:26:05 ----D---- C:\WINDOWS\ie8updates
2010-12-02 08:25:00 ----HD---- C:\WINDOWS\$hf_mig$
2010-12-02 08:24:40 ----D---- C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2010-11-30 17:24:53 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - Modem #2.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2006-08-11 12920]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver; C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-15 26624]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2009-09-01 54184]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-09-01 35168]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\system32\DRIVERS\omci.sys [2007-09-25 19968]
R1 Tosrfcom;Bluetooth RFCOMM; C:\WINDOWS\System32\Drivers\tosrfcom.sys [2007-04-26 64896]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-08-18 35096]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-08-18 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2006-08-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-08-18 104472]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-08-18 26008]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-08-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-08-18 97848]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-08-18 94648]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2006-08-11 51768]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-09-01 40824]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2007-01-31 12672]
R2 NwlnkIpx;Transportní protokol kompatibilní s NWLink IPX/SPX/NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;Služba NWLink pro rozhraní NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-18 63232]
R2 NwlnkSpx;Protokol NWLink SPX/SPXII; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-18 55936]
R2 Scap;SecureClient Application Policy Module; C:\WINDOWS\System32\DRIVERS\Scap.sys [2004-07-19 17424]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2008-03-12 76288]
R2 VPN-1;VPN-1 Module; C:\WINDOWS\System32\drivers\vpn.sys [2004-07-19 668432]
R2 XilinxPC4Driver;XilinxPC4Driver; C:\WINDOWS\System32\drivers\XPC4DRVR.SYS [2006-06-20 16000]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP/Vista; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2007-04-15 132608]
R3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-04-24 1975808]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-03-20 160256]
R3 BCM43XX;Ovladač bezdrátové karty Dell WLAN; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-03-16 604928]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 DwMirror;DwMirror; C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-07 3712]
R3 FW1;SecuRemote Miniport; C:\WINDOWS\system32\DRIVERS\fw.sys [2004-07-19 2038704]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2007-01-31 989696]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2007-01-31 209152]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-18 5888]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 StillCam;Ovladač digitálního fotoaparátu pro sériový port; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-10-24 6784]
R3 tosporte;Bluetooth COM Port; C:\WINDOWS\system32\DRIVERS\tosporte.sys [2007-04-26 41600]
R3 tosrfbd;Bluetooth RFBUS; C:\WINDOWS\system32\DRIVERS\tosrfbd.sys [2007-04-26 113920]
R3 tosrfbnp;Bluetooth RFBNEP; C:\WINDOWS\System32\Drivers\tosrfbnp.sys [2007-04-26 36480]
R3 Tosrfhid;Bluetooth RFHID; C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys [2007-04-26 73600]
R3 tosrfnds;Bluetooth Personal Area Network; C:\WINDOWS\system32\DRIVERS\tosrfnds.sys [2007-04-26 18612]
R3 Tosrfusb;Bluetooth USB Controller; C:\WINDOWS\system32\DRIVERS\tosrfusb.sys [2007-04-26 41856]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2007-01-31 730112]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2009-04-11 194362]
S1 Uim_IM;UIM Drive Backup Image Plugin; C:\WINDOWS\System32\Drivers\Uim_IM.sys []
S1 UimBus;Universal Image Mounter Controller; C:\WINDOWS\system32\DRIVERS\UimBus.sys []
S2 ATE_PROCMON;ATE_PROCMON; \??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 aomnun88;aomnun88; C:\WINDOWS\system32\drivers\aomnun88.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\PRO\LOCALS~1\Temp\catchme.sys []
S3 dsNcAdpt;Juniper Network Connect Adapter; C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys []
S3 DXEC01;DXEC01; C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 97536]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2009-08-23 25280]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2009-09-10 102528]
S3 hwusbdev;Huawei DataCard USB PNP Device; C:\WINDOWS\system32\DRIVERS\ewusbdev.sys [2009-10-12 100736]
S3 nm;Ovladač programu Sledování sítě; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 OMVA;VPN-1 SecureClient Adapter; C:\WINDOWS\system32\DRIVERS\OMVA.sys [2004-07-19 14924]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 21632]
S3 sermouse;Ovladač sériové myši; C:\WINDOWS\system32\DRIVERS\sermouse.sys [2001-10-24 17664]
S3 Sntnlusb;Rainbow USB SuperPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2008-03-12 26120]
S3 usb_rndisx;Adaptér USB RNDIS; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbser;USB Serial emulation driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S3 XilinxFirmwareEmbeddedLoader;XilinxFirmwareEmbeddedLoader; C:\WINDOWS\System32\Drivers\xusb_xup.sys [2009-03-27 17408]
S3 XilinxFirmwareEmbeddedLpLoader;XilinxFirmwareEmbeddedLpLoader; C:\WINDOWS\System32\Drivers\xusb_emb.sys [2009-03-27 17408]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader; C:\WINDOWS\System32\Drivers\xusbdfwu.sys [2009-03-27 17280]
S3 XilinxFirmwareLpLoader;XilinxFirmwareLpLoader; C:\WINDOWS\System32\Drivers\xusb_xlp.sys [2009-03-27 17280]
S3 XilinxFirmwarePusb2Loader;XilinxFirmwarePusb2Loader; C:\WINDOWS\System32\Drivers\xusb_xp2.sys [2009-03-27 17920]
S3 XilinxFirmwarePusb2SeLoader;XilinxFirmwarePusb2SeLoader; C:\WINDOWS\System32\Drivers\xusb_xse.sys [2009-03-27 17920]
S4 agp440;Filtr Intel sběrnice AGP; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Filtr Compaq sběrnice AGP; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;Filtr ALI sběrnice AGP; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;Ovladač filtru AMD portu AGP; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-14 5504]
S4 sisagp;Filtr SIS sběrnice AGP ; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;Filtr VIA sběrnice AGP ; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]
S4 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-18 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-04-24 446464]
R2 AuditPro Scan;AuditPro Scan; C:\AuditPro\Scan.exe [2010-04-01 1471840]
R2 DataSvr2;DataSvr2; C:\Program Files\Wave Systems Corp\Common\DataServer.exe [2006-09-05 315392]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-09-01 472280]
R2 Iap;Iap; C:\Program Files\Dell\OpenManage\Client\Iap.exe [2007-09-25 240416]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-11-12 153376]
R2 STacSV;SigmaTel Audio Service; C:\WINDOWS\system32\StacSV.exe [2007-05-10 94208]
R2 tcsd_win32.exe;NTRU Hybrid TSS v2.0.25 TCS; C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe [2006-06-12 180224]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2007-03-16 20480]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18

130384]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 268288]
S2 P1C1394;Phase One 1394 Camera Driver; C:\WINDOWS\System32\Drivers\p1c1394.sys []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [2010-03-18 35160]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25

69632]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-09-01 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29

46104]
S3 getPlusHelper;getPlus(R) Helper; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [2007-02-20 475136]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 WinRM;Windows Remote Management (WS-Management); C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe

[2010-03-18 753504]
S4 CQXBBRZDL;CQXBBRZDL; C:\DOCUME~1\PRO\LOCALS~1\Temp\CQXBBRZDL.exe []
S4 DWMRCS;DameWare Mini Remote Control; C:\WINDOWS\SYSTEM32\DWRCS.EXE [2009-02-04 234496]
S4 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-11-25 135664]
S4 HNetInfo FTP Server;HNetInfo FTP Server; C:\Program Files\HNetInfo2\HServer\startsrv.exe [2004-11-20 57344]
S4 idsvc;Služba Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 NcpSec;NcpSec; C:\WINDOWS\ncple\ncpsec.exe []
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 PSI_SVC_2;Protexis Licensing V2; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2010-03-11 193824]
S4 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]
S4 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-08-07 575488]
S4 SR_Service;Check Point SecuRemote Service; C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe [2004-07-19 86128]
S4 SR_WatchDog;Check Point SecuRemote WatchDog; C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe [2004-07-19 86129]
S4 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]
S4 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S4 XYWVBK;XYWVBK; C:\DOCUME~1\PRO\LOCALS~1\Temp\XYWVBK.exe []

-----------------EOF-----------------

Re: Rootkit.win32.TDSS.ap

Napsal: 29 pro 2010 00:38
od Diallix
Dobre, samozrejme :)

Mozete urobit novy log z combofixu a ten dat sem ?

Re: Rootkit.win32.TDSS.ap

Napsal: 29 pro 2010 08:29
od pavel.roszler
Jasně log je zde:
ComboFix 10-12-28.02 - PRO 29.12.2010 8:10.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.958.505 [GMT 1:00]
Spuštěný z: c:\documents and settings\PRO\Plocha\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ST6UNST.000
c:\windows\system\mscomctl.ocx
c:\windows\system32\Oeminfo.ini

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TCPSR


((((((((((((((((((((((((( Soubory vytvořené od 2010-11-28 do 2010-12-29 )))))))))))))))))))))))))))))))
.

2010-12-25 18:44 . 2010-12-25 21:05 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-12-11 06:21 . 2010-12-11 06:21 -------- d-----w- c:\program files\Common Files\Skype
2010-12-04 06:19 . 2010-12-04 06:19 -------- d-----w- C:\spoolerlogs
2010-12-03 08:19 . 2010-12-03 10:04 -------- d--h--w- c:\windows\system32\dwrcssft
2010-12-03 08:19 . 2009-02-04 14:35 78848 ----a-w- c:\windows\system32\DWRCST.EXE
2010-12-03 08:19 . 2009-02-04 14:34 61440 ----a-w- c:\windows\system32\DWRCSh32.dll
2010-12-03 08:19 . 2009-02-04 14:34 233472 ----a-w- c:\windows\system32\DWRCSET.DLL
2010-12-03 08:19 . 2009-02-04 14:34 53248 ----a-w- c:\windows\system32\DWRCK.DLL
2010-12-03 08:19 . 2009-02-04 14:34 234496 ----a-w- c:\windows\system32\DWRCS.EXE
2010-12-02 07:22 . 2010-12-02 07:22 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-14 13:03 . 2010-11-14 13:03 49152 ----a-w- c:\windows\system32\md5sum.exe
2010-11-12 17:53 . 2010-05-21 22:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 15:34 . 2008-02-14 05:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8287-79A187E26987}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-15 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 102400]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-01 1461080]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IDTSysTrayApp"="sttray.exe" [2007-09-05 405504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-24 50688]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-8-25 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceRunOnStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 18:02 50736 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-07-19 09:53 24681 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxd63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 15:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XYWVBK"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"SR_WatchDog"=3 (0x3)
"SR_Service"=3 (0x3)
"ServiceLayer"=3 (0x3)
"rpcapd"=3 (0x3)
"PSI_SVC_2"=2 (0x2)
"ose"=3 (0x3)
"NcpSec"=2 (0x2)
"idsvc"=3 (0x3)
"HNetInfo FTP Server"=3 (0x3)
"gupdate"=2 (0x2)
"DWMRCS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\HNetInfo2\\HServer\\HServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [24.7.2007 12:57 3456]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5.9.2007 18:26 685816]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [15.2.2007 18:00 26624]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [21.12.2007 8:21 35168]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [1.8.2008 6:53 17424]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [1.8.2008 6:53 668432]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [7.2.2007 18:00 3712]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [1.8.2008 6:54 2038704]
S0 Qxd63;Qxd63;c:\windows\system32\Drivers\Qxd63.sys --> c:\windows\system32\Drivers\Qxd63.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 AuditPro Scan;AuditPro Scan;c:\auditpro\SCAN.EXE [21.4.2010 8:53 1471840]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 12:16 130384]
S2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\Drivers\p1c1394.sys --> c:\windows\system32\Drivers\p1c1394.sys [?]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2.11.2006 12:32 97536]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [10.11.2010 14:03 100736]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 21:22 34064]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [1.8.2008 6:54 14924]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [13.9.2004 16:20 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 12:16 753504]
S3 XilinxFirmwareEmbeddedLoader;XilinxFirmwareEmbeddedLoader;c:\windows\system32\drivers\xusb_xup.sys [6.1.2010 11:06 17408]
S3 XilinxFirmwareEmbeddedLpLoader;XilinxFirmwareEmbeddedLpLoader;c:\windows\system32\drivers\xusb_emb.sys [6.1.2010 11:06 17408]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\windows\system32\drivers\xusbdfwu.sys [21.2.2008 11:09 17280]
S3 XilinxFirmwareLpLoader;XilinxFirmwareLpLoader;c:\windows\system32\drivers\xusb_xlp.sys [6.1.2010 11:06 17280]
S3 XilinxFirmwarePusb2Loader;XilinxFirmwarePusb2Loader;c:\windows\system32\drivers\xusb_xp2.sys [6.1.2010 11:06 17920]
S3 XilinxFirmwarePusb2SeLoader;XilinxFirmwarePusb2SeLoader;c:\windows\system32\drivers\xusb_xse.sys [6.1.2010 11:06 17920]
S4 CQXBBRZDL;CQXBBRZDL;c:\docume~1\PRO\LOCALS~1\Temp\CQXBBRZDL.exe --> c:\docume~1\PRO\LOCALS~1\Temp\CQXBBRZDL.exe [?]
S4 ekrn;Eset Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [7.10.2009 8:16 472280]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25.11.2009 8:04 135664]
S4 HNetInfo FTP Server;HNetInfo FTP Server;c:\program files\HNetInfo2\HServer\startsrv.exe [20.11.2004 20:22 57344]
S4 NcpSec;NcpSec;c:\windows\ncple\ncpsec.exe --> c:\windows\ncple\ncpsec.exe [?]
S4 XYWVBK;XYWVBK;c:\docume~1\PRO\LOCALS~1\Temp\XYWVBK.exe --> c:\docume~1\PRO\LOCALS~1\Temp\XYWVBK.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Obsah adresáře 'Naplánované úlohy'

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-25 07:04]

2010-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-25 07:04]
.
.
------- Doplňkový sken -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F4B99A69-80BB-4EBE-9009-F97D2C9AED28} = 8.8.8.8
FF - ProfilePath - c:\documents and settings\PRO\Data aplikací\Mozilla\Firefox\Profiles\eynerzcn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2475029&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: network.proxy.ftp - 172.20.1.122
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 172.20.1.122
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.10.10.33
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 172.20.1.122
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 172.20.1.122
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - Ext: České slovníky pro kontrolu pravopisu: cs@dictionaries.addons.mozilla.org - %profile%\extensions\cs@dictionaries.addons.mozilla.org
FF - Ext: Flash Video Resources Downloader: max@subfighter.com - %profile%\extensions\max@subfighter.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

BHO-{a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)
Toolbar-{a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)
WebBrowser-{A1E75A0E-4397-4BA8-BB50-E19FB66890F4} - (no file)
HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
SafeBoot-Ekp84.sys
SafeBoot-Kqv74.sys
MSConfigStartUp-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe
AddRemove-UIM - c:\program files\UIM\DeIsL1.isu
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-29 08:18
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AuditPro Scan]
"ImagePath"="c:\auditpro\Scan.exe /TCP:777 "
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1868)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\avldr.dll

- - - - - - - > 'explorer.exe'(2156)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
c:\windows\system32\FXSAPI.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\windows\sttray.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
c:\program files\Brother\Brmfcmon\BrMfimon.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Celkový čas: 2010-12-29 08:23:12 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-12-29 07:23

Před spuštěním: Volných bajtů: 10 240 233 472
Po spuštění: Volných bajtů: 10 063 187 968

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - E71B04617F9ED30C6DAA6F4A5559717A
Dík

Re: Rootkit.win32.TDSS.ap

Napsal: 29 pro 2010 14:00
od Diallix
Dobre.

Do poznamkoveho bloku skopirujte:

KillAll::

filelook::
C:\WINDOWS\ncple\ncpsec.exe

File::
c:\docume~1\PRO\LOCALS~1\Temp\XYWVBK.exe
c:\windows\system32\avldr.dll
c:\docume~1\PRO\LOCALS~1\Temp\CQXBBRZDL.exe

Rootkit::
c:\docume~1\PRO\LOCALS~1\Temp\XYWVBK.exe
c:\docume~1\PRO\LOCALS~1\Temp\CQXBBRZDL.exe
c:\windows\system32\Drivers\Qxd63.sys

driver::
XYWVBK
CQXBBRZDL
Qxd63

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxd63.sys]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XYWVBK"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\rundll32.exe"=-
"C:\WINDOWS\system32\spoolsv.exe"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\WINDOWS\system32\rundll32.exe"=-
"C:\WINDOWS\system32\spoolsv.exe"=-
Ulozte ho na plochu ako CFScript.txt, chytte mysou, presunte nad ComboFix a pustite ako na obrazku dole. Po skene ComboFix vygeneruje a ulozi do lokalnej jednotky novy log ktoreho obsah skopirujte sem.
Obrázek

Re: Rootkit.win32.TDSS.ap

Napsal: 30 pro 2010 07:38
od pavel.roszler
Zde je:

ComboFix 10-12-28.02 - PRO 30.12.2010 7:18.2.2 - x86
SystÚm Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.958.528 [GMT 1:00]
SpuÜtýnř z: c:\documents and settings\PRO\Plocha\ComboFix.exe
Pou×itÚ ovlßdacÝ p°epÝnaŔe :: c:\documents and settings\PRO\Plocha\CFScript.txt.txt
AV: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Vytvo°en novř Bod ObnovenÝ

FILE ::
"c:\docume~1\PRO\LOCALS~1\Temp\CQXBBRZDL.exe"
"c:\docume~1\PRO\LOCALS~1\Temp\XYWVBK.exe"
"c:\windows\system32\avldr.dll"
.

((((((((((((((((((((((((((((((((((((((( OstatnÝ vřmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\avldr.dll

.
((((((((((((((((((((((((((((((((((((((( OvladaŔe/Slu×by )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CQXBBRZDL
-------\Legacy_QXD63
-------\Legacy_XYWVBK
-------\Service_CQXBBRZDL
-------\Service_Qxd63
-------\Service_XYWVBK


((((((((((((((((((((((((( Soubory vytvo°enÚ od 2010-11-28 do 2010-12-30 )))))))))))))))))))))))))))))))
.

2010-12-25 18:44 . 2010-12-25 21:05 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-12-11 06:21 . 2010-12-11 06:21 -------- d-----w- c:\program files\Common Files\Skype
2010-12-04 06:19 . 2010-12-04 06:19 -------- d-----w- C:\spoolerlogs
2010-12-03 08:19 . 2010-12-03 10:04 -------- d--h--w- c:\windows\system32\dwrcssft
2010-12-03 08:19 . 2009-02-04 14:35 78848 ----a-w- c:\windows\system32\DWRCST.EXE
2010-12-03 08:19 . 2009-02-04 14:34 61440 ----a-w- c:\windows\system32\DWRCSh32.dll
2010-12-03 08:19 . 2009-02-04 14:34 233472 ----a-w- c:\windows\system32\DWRCSET.DLL
2010-12-03 08:19 . 2009-02-04 14:34 53248 ----a-w- c:\windows\system32\DWRCK.DLL
2010-12-03 08:19 . 2009-02-04 14:34 234496 ----a-w- c:\windows\system32\DWRCS.EXE
2010-12-02 07:22 . 2010-12-02 07:22 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M vřpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-14 13:03 . 2010-11-14 13:03 49152 ----a-w- c:\windows\system32\md5sum.exe
2010-11-12 17:53 . 2010-05-21 22:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 15:34 . 2008-02-14 05:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

(((((((((((((((((((((((((((((((((( SpouÜtýcÝ body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznßmka* prßzdnÚ zßznamy a legitimnÝ vřchozÝ ˙daje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8287-79A187E26987}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-15 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 102400]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-01 1461080]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IDTSysTrayApp"="sttray.exe" [2007-09-05 405504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-24 50688]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-8-25 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceRunOnStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-07-19 09:53 24681 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekp84.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kqv74.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxd63.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 15:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"SR_WatchDog"=3 (0x3)
"SR_Service"=3 (0x3)
"ServiceLayer"=3 (0x3)
"rpcapd"=3 (0x3)
"PSI_SVC_2"=2 (0x2)
"ose"=3 (0x3)
"NcpSec"=2 (0x2)
"idsvc"=3 (0x3)
"HNetInfo FTP Server"=3 (0x3)
"gupdate"=2 (0x2)
"DWMRCS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\HNetInfo2\\HServer\\HServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [24.7.2007 12:57 3456]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5.9.2007 18:26 685816]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [15.2.2007 18:00 26624]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [21.12.2007 8:21 35168]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [1.8.2008 6:53 17424]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [1.8.2008 6:53 668432]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [7.2.2007 18:00 3712]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [1.8.2008 6:54 2038704]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 AuditPro Scan;AuditPro Scan;c:\auditpro\SCAN.EXE [21.4.2010 8:53 1471840]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 12:16 130384]
S2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\Drivers\p1c1394.sys --> c:\windows\system32\Drivers\p1c1394.sys [?]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2.11.2006 12:32 97536]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [10.11.2010 14:03 100736]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 21:22 34064]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [1.8.2008 6:54 14924]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [13.9.2004 16:20 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 12:16 753504]
S3 XilinxFirmwareEmbeddedLoader;XilinxFirmwareEmbeddedLoader;c:\windows\system32\drivers\xusb_xup.sys [6.1.2010 11:06 17408]
S3 XilinxFirmwareEmbeddedLpLoader;XilinxFirmwareEmbeddedLpLoader;c:\windows\system32\drivers\xusb_emb.sys [6.1.2010 11:06 17408]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\windows\system32\drivers\xusbdfwu.sys [21.2.2008 11:09 17280]
S3 XilinxFirmwareLpLoader;XilinxFirmwareLpLoader;c:\windows\system32\drivers\xusb_xlp.sys [6.1.2010 11:06 17280]
S3 XilinxFirmwarePusb2Loader;XilinxFirmwarePusb2Loader;c:\windows\system32\drivers\xusb_xp2.sys [6.1.2010 11:06 17920]
S3 XilinxFirmwarePusb2SeLoader;XilinxFirmwarePusb2SeLoader;c:\windows\system32\drivers\xusb_xse.sys [6.1.2010 11:06 17920]
S4 ekrn;Eset Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [7.10.2009 8:16 472280]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25.11.2009 8:04 135664]
S4 HNetInfo FTP Server;HNetInfo FTP Server;c:\program files\HNetInfo2\HServer\startsrv.exe [20.11.2004 20:22 57344]
S4 NcpSec;NcpSec;c:\windows\ncple\ncpsec.exe --> c:\windows\ncple\ncpsec.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Obsah adresß°e 'NaplßnovanÚ ˙lohy'

2010-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-25 07:04]

2010-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-25 07:04]
.
.
------- Dopl˛kovř sken -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F4B99A69-80BB-4EBE-9009-F97D2C9AED28} = 8.8.8.8
FF - ProfilePath - c:\documents and settings\PRO\Data aplikacÝ\Mozilla\Firefox\Profiles\eynerzcn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2475029&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: network.proxy.ftp - 172.20.1.122
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 172.20.1.122
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.10.10.33
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 172.20.1.122
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 172.20.1.122
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - Ext: ─îesk├ę slovn├şky pro kontrolu pravopisu: cs@dictionaries.addons.mozilla.org - %profile%\extensions\cs@dictionaries.addons.mozilla.org
FF - Ext: Flash Video Resources Downloader: max@subfighter.com - %profile%\extensions\max@subfighter.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - NEPLATN╔ POLOÄKY ODSTRAN╠N╔ Z REGISTRU - - - -

BHO-{a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)
Notify-avldr - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-30 07:26
Windows 5.1.2600 Service Pack 3 NTFS

skenovßnÝ skrytřch proces¨ ...

skenovßnÝ skrytřch polo×ek 'Po spuÜtýnÝ' ...

skenovßnÝ skrytřch soubor¨ ...

sken byl ˙speÜný dokonŔen
skrytÚ soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AuditPro Scan]
"ImagePath"="c:\auditpro\Scan.exe /TCP:777 "
.
--------------------- Knihovny navßzanÚ na bý×ÝcÝ procesy ---------------------

- - - - - - - > 'winlogon.exe'(1444)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4056)
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ JinÚ spuÜtenÚ procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\StacSV.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
c:\windows\sttray.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Brother\Brmfcmon\BrMfimon.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Celkovř Ŕas: 2010-12-30 07:31:08 - poŔÝtaŔ byl restartovßn
ComboFix-quarantined-files.txt 2010-12-30 06:31
ComboFix2.txt 2010-12-29 07:23

P°ed spuÜtýnÝm: Volnřch bajt¨: 10á075á021á312
Po spuÜtýnÝ: Volnřch bajt¨: 10á053á079á040

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 648E7F3D8B767EEB055BCB41FD5096A6
Dík Pavel

Re: Rootkit.win32.TDSS.ap

Napsal: 30 pro 2010 10:59
od Diallix
:arrow:
Dobre, precitajte si tento navod : http://www.spyware.cz/go.php?p=spyware&t=aplikace&id=35

Program stiahnite a spustite.

Do toho bieleho okna skopirujte:
Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekp84.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kqv74.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxd63.sys
Klik na EXECUTE > ANO / YES / OK

PC sa resetuje. Po resete sem vlozte obsah logu, ktory sa pri starte spusti.


:arrow:
subor : c:\windows\ncple\ncpsec.exe zrarujte pomocou archivu (napr winrar) a uploadnite ho na leteckaposta.cz

Odkaz tu potom dajte.

:arrow:
zozku: C:\Qoobox tak isto zrarujte, uploadnite na leteckaposta.cz a odkaz sem dajte.

Re: Rootkit.win32.TDSS.ap

Napsal: 30 pro 2010 14:16
od pavel.roszler
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************
Log je zde:
Beginning to process script file:

Rootkit scan active.
No rootkits found!

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekp84.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kqv74.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qxd63.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Tady je odkaz na Qoobox:
http://leteckaposta.cz/201976441
ncpsec.exe nemůžu najít.
Děkuji za pomoc, přeji veselého Silvestra a mnoho štěstí v Novém roce.
Zítra tj.31.12. nebudu na internetu.

Re: Rootkit.win32.TDSS.ap

Napsal: 30 pro 2010 16:05
od Diallix
Dobre.

c:\AVENGER zmazte

ten subor bude skryty...otestujte ho na virustotal.com

do okna skopirujte: c:\windows\ncple\ncpsec.exe a odoslite.


Ak vas zvyzve ku akcii, tak zvolte moznost "znovu otestovat/reanalyse"


Ak tak, skuste vojst do zlozky: c:\windows\ncple\ , klik hore v karte na vlastnosti priecinka >> zobrazenie >> zvolte moznosti "zobrazit skryte subory a priecinky a zobrazit systemove subory"


Aj ja Vam prajem vela statia a hlavne pekny zivot, v novom roku, ale nie len v buducom, ale v celom.

Re: Rootkit.win32.TDSS.ap

Napsal: 01 led 2011 17:33
od pavel.roszler
Vítejte v novém roce.
Ten ncpsec.exe nikde není k nalezení. Ani v Nortoncomanderu se nezobrazí.
Dík Pavel

Re: Rootkit.win32.TDSS.ap

Napsal: 03 led 2011 12:18
od Diallix
Vy tiez :)

Ospravedlnujem sa, ze spisem az teraz, ale bol som tak troska po opici.

kliknite start >> spustit >> napiste "cmd" >> enter

do ciernehoo kna skopirujte oba prikazy, pricom kazdy odenterujte:

sc stop NcpSec
sc delete NcpSec


:arrow:

mate v prehliadaci zamerne nastavene tieto hodnoty? :

FF - prefs.js: network.proxy.ftp - 172.20.1.122
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 172.20.1.122
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.10.10.33
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 172.20.1.122
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 172.20.1.122
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4

Re: Rootkit.win32.TDSS.ap

Napsal: 05 led 2011 07:31
od pavel.roszler
Vítejte v Novém roce, Silvestr se zřejmě vydařil.
po tom prvním přikazu mi to napsalo SC ControlService failed 1062
po to druhém SC DeleteServices SUCCESS
Ty ip adresy 172 .... ... to bude firemní síť to 10 .... nevím asi nějaký pozůstatek z práce, někdy se připojujeme do sítí k našim zařízením a potřebujeme tam koukat přez webový prohlížeč.
Dík Pavel

Re: Rootkit.win32.TDSS.ap

Napsal: 05 led 2011 11:46
od Diallix
da sa povedat, ze ano :D

V tom pripade je to ok.

Su s pc este nejake problemy ?

Re: Rootkit.win32.TDSS.ap

Napsal: 06 led 2011 15:28
od pavel.roszler
Děkuji, PC se chová mravně.
Pavel
Všechny časy jsou v UTC+01:00
Stránka 1 z 2

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz