VIRY.CZ

Prosím o kontrolu logu z pc švagra. Pc je strašně pomalý a bliká (teda spíš svítí) neustále kontrolka využití procesoru:

Logfile of random's system information tool 1.06 (written by random/random)
Run by uživatel at 2009-11-15 21:14:25
Microsoft® Windows Vista™ Home Basic
System drive C: has 47 GB (31%) free of 153 GB
Total RAM: 1013 MB (15% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:15:12, on 15.11.2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\uživatel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30VP1NY9\RSIT[1].exe
C:\Program Files\trend micro\uživatel.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/G ... meHost.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6996 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{84704B8C-0964-47DD-9A21-3C458AC93B4F}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-26 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-13 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-22 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-26 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2008-07-17 691656]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-13 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-02 1004136]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-01-22 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-01-22 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-01-22 133656]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-26 136600]
"SpywareTerminator"=C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe [2008-09-27 1817600]
"NeroFilterCheck"=C:\Windows\system32\NeroCheck.exe [2001-07-09 155648]
"Monitor"=C:\Windows\PixArt\PAC207\Monitor.exe [2006-11-03 319488]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-02-01 1232896]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-07-24 490952]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-02-04 39408]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-01-22 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8db3248c-8d7b-11dd-880a-001eec4e46d7}]
shell\AutoRun\command - E:\SETUP.EXE
shell\configure\command - E:\SETUP.EXE
shell\install\command - E:\SETUP.EXE


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-11-15 21:14:31 ----D---- C:\Program Files\trend micro
2009-11-15 21:14:25 ----D---- C:\rsit
2009-11-15 19:39:16 ----D---- C:\54af84ef5c9fa257dcd4c3fc1b
2009-11-15 13:05:52 ----D---- C:\Program Files\MSXML 4.0
2009-11-14 20:40:40 ----D---- C:\PerfLogs
2009-11-14 20:06:40 ----D---- C:\b99227bf80db09a4a0ec
2009-11-14 19:41:11 ----D---- C:\Users\uživatel\AppData\Roaming\Nero
2009-11-14 19:32:31 ----D---- C:\ProgramData\Nero
2009-11-11 15:06:16 ----A---- C:\Windows\system32\mshtml.dll
2009-11-11 15:05:41 ----A---- C:\Windows\system32\WSDApi.dll

======List of files/folders modified in the last 1 months======

2009-11-15 21:14:31 ----RD---- C:\Program Files
2009-11-15 21:14:20 ----D---- C:\Windows\Temp
2009-11-15 21:08:07 ----D---- C:\Windows\System32
2009-11-15 21:08:06 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-11-15 21:08:04 ----D---- C:\Windows\inf
2009-11-15 21:07:52 ----D---- C:\Program Files\Internet Explorer
2009-11-15 20:59:43 ----D---- C:\Windows\system32\wbem
2009-11-15 20:59:43 ----D---- C:\Windows
2009-11-15 20:54:08 ----D---- C:\Windows\system32\config
2009-11-15 20:51:59 ----SHD---- C:\Windows\Installer
2009-11-15 20:51:59 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-15 20:51:59 ----D---- C:\Windows\Tasks
2009-11-15 20:51:59 ----D---- C:\Windows\system32\Tasks
2009-11-15 20:51:59 ----D---- C:\Windows\system32\spool
2009-11-15 20:51:59 ----D---- C:\Windows\system32\catroot2
2009-11-15 20:51:59 ----D---- C:\Users\uživatel\AppData\Roaming\Spyware Terminator
2009-11-15 20:51:59 ----D---- C:\Program Files\Common Files\InstallShield
2009-11-15 20:51:58 ----D---- C:\Windows\registration
2009-11-15 20:37:08 ----SHD---- C:\System Volume Information
2009-11-15 19:57:08 ----D---- C:\Windows\winsxs
2009-11-15 16:33:39 ----D---- C:\Program Files\Mozilla Firefox
2009-11-15 14:03:02 ----D---- C:\Users\uživatel\AppData\Roaming\ICQ
2009-11-14 21:54:40 ----D---- C:\Windows\system32\cs-CZ
2009-11-14 21:51:20 ----D---- C:\Program Files\MSN
2009-11-14 21:50:26 ----D---- C:\Windows\tapi
2009-11-14 21:50:26 ----D---- C:\Windows\system32\drivers
2009-11-14 21:50:25 ----D---- C:\Windows\system32\CodeIntegrity
2009-11-14 21:50:03 ----RD---- C:\Users
2009-11-14 21:47:59 ----D---- C:\Windows\system32\oobe
2009-11-14 21:47:59 ----D---- C:\Windows\system32\migwiz
2009-11-14 21:47:59 ----D---- C:\Windows\servicing
2009-11-14 21:47:58 ----D---- C:\Windows\system32\Boot
2009-11-14 21:47:57 ----D---- C:\Windows\IME
2009-11-14 21:47:57 ----D---- C:\Windows\AppPatch
2009-11-14 21:47:56 ----D---- C:\Program Files\Windows Sidebar
2009-11-14 21:47:56 ----D---- C:\Program Files\Windows Photo Gallery
2009-11-14 21:47:56 ----D---- C:\Program Files\Windows Mail
2009-11-14 21:47:56 ----D---- C:\Program Files\Common Files\System
2009-11-14 21:28:59 ----D---- C:\Windows\Logs
2009-11-14 21:02:33 ----D---- C:\Windows\Microsoft.NET
2009-11-14 21:02:29 ----RSD---- C:\Windows\assembly
2009-11-14 20:52:26 ----D---- C:\Windows\system32\catroot
2009-11-14 20:52:12 ----SHD---- C:\Boot
2009-11-14 20:40:50 ----D---- C:\Windows\Boot
2009-11-14 19:57:03 ----D---- C:\Program Files\Common Files\Nero
2009-11-14 19:53:55 ----D---- C:\Windows\Prefetch
2009-11-14 19:46:28 ----D---- C:\Windows\Debug
2009-11-14 19:32:31 ----HD---- C:\ProgramData
2009-11-12 09:32:11 ----D---- C:\ProgramData\Microsoft Help
2009-11-05 18:36:21 ----A---- C:\Windows\system32\mrt.exe
2009-11-02 20:42:06 ----N---- C:\Windows\system32\MpSigStub.exe
2009-10-18 16:05:47 ----A---- C:\Windows\NeroDigital.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\Windows\system32\drivers\sp_rsdrv2.sys [2008-09-27 141312]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2007-07-30 743424]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
R3 CmBatt;Ovladač baterie Microsoft ACPI Control Method Battery; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]
R3 HdAudAddService;Ovladač funkce Microsoft 1.1 UAA pro službu zvuku High Definition Audio; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-01-22 2016256]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2006-11-02 11264]
S3 allswjs0;allswjs0; C:\Windows\system32\drivers\allswjs0.sys []
S3 drmkaud;Dekodér zvuků DRM jádra společnosti Microsoft; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 MSKSSRV;Server proxy služby datových proudů Microsoft; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Server proxy hodin datových proudů Microsoft; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Server proxy správce kvality datových proudů Microsoft; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Konvertor jímka-jímka typu T datových proudů Microsoft; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S3 PAC207;SoC PC-Camera; C:\Windows\system32\DRIVERS\PFC027.SYS [2006-12-05 507136]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ICQ Service;ICQ Service; C:\Program Files\ICQ6Toolbar\ICQ Service.exe [2009-06-01 222968]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2008-09-27 606720]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe []
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-13 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

Ahoj.

1) Stiahni GMER, rozbal ho na plochu a spust. Program automaticky zacne scan (po jeho skonceni vloz log c. 1) - pokial pri scanovani nieco najde (=vyskoci nejake upozornenie), klik na "NO" a vpravo zafajknes vsetky polozky OKREM:

• Sections
• IAT/EAT
• Registry
• nesystemovych diskov a particii (system je zvycajne na "C:\" - takze nezaskrtnute nechas "D:\", "E:\"...atd.)
• Show All

Klik na "Scan". Po scane klik na "Save" a log c. 2 vloz sem.

Ak nic nenajde (=nevyskoci nic), zaskrtaj vpravo vsetko a spusti scan. Po jeho ukonceni klik na "Copy" a vloz log c. 2.


2) Stiahni DDS. Uloz na plochu, ukonci vsetky spustene programy a spust ho. Po skonceni scanu sa otvoria vysledky v 2 oknach - DDS.txt a Attach.txt. Obsah oboch by som rad videl.

AhoGMER 1.0.15.15227 - http://www.gmer.net
Rootkit quick scan 2009-11-17 18:25:39
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\UIVATE~1\AppData\Local\Temp\uglirkob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 842B71F8
Device \Driver\atapi -> \Driver\atapi \Device\Harddisk0\DR0 842B61F8

---- EOF - GMER 1.0.15 ----
j log č.1:

Log č.2 nelze poslat, neboť se při scanování kousne celé pc, když je scanován \Cdfs a lomítko je obráceně

Scan
DDS (Ver_09-10-26.01) - NTFSx86
Run by u§ivatel at 18:52:12,76 on Łt 17.11.2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_10
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1250.420.1029.18.1013.289 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\uživatel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30VP1NY9\dds[1].scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.seznam.cz/
uURLSearchHooks: H - No File
uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SysMetrix] c:\program files\sysmetrix\SysMetrix.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\uivate~1\appdata\roaming\mozilla\firefox\profiles\hvojm8tx.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.centrum.cz/skinit/icq/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.XMLHttpRequest.channel", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("security.checkloaduri", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("bidi.characterset", 1);
c:\program files\mozilla firefox\defaults\pref\channel-prefs.js - pref("app.update.channel", "release");
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");

============= SERVICES / DRIVERS ===============

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-9-27 141312]
R2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2009-7-15 222968]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-9-27 180736]
S0 OemBiosDevice;Royalty OEM Bios Extension;c:\windows\system32\drivers\royal.sys [2008-9-27 240128]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]
S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\PFC027.SYS [2006-12-5 507136]

=============== Created Last 30 ================

2009-11-15 22:46:20 0 d-----w- c:\program files\SysMetrix
2009-11-15 20:14:31 0 d-----w- c:\program files\trend micro
2009-11-15 18:39:16 0 d-----w- C:\54af84ef5c9fa257dcd4c3fc1b
2009-11-15 12:05:52 0 d-----w- c:\program files\MSXML 4.0
2009-11-14 19:40:40 0 d-----w- C:\PerfLogs
2009-11-14 19:06:40 0 d-----w- C:\b99227bf80db09a4a0ec
2009-11-14 18:32:31 0 d-----w- c:\programdata\Nero
2009-11-11 14:06:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-11 14:06:03 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 14:05:41 321536 ----a-w- c:\windows\system32\WSDApi.dll

==================== Find3M ====================

2009-11-17 17:52:17 1835008 --sha-w- c:\users\uživatel\ntuser.dat
2009-11-17 17:45:53 82594 ----a-w- c:\windows\system32\perfc005.dat
2009-11-17 17:45:53 476852 ----a-w- c:\windows\system32\perfh005.dat
2009-11-02 19:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:38:11 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-02-02 09:00:12 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-02-02 09:00:12 51200 ----a-w- c:\windows\inf\infpub.dat
2009-02-02 09:00:10 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-02-02 09:00:10 86016 ----a-w- c:\windows\inf\infstor.dat
2009-02-02 08:59:25 174 --sha-w- c:\program files\desktop.ini
2007-01-08 21:07:39 34724 ----a-w- c:\windows\inf\perflib\0405\perfd.dat
2007-01-08 21:07:39 34724 ----a-w- c:\windows\inf\perflib\0405\perfc.dat
2007-01-08 21:07:39 286912 ----a-w- c:\windows\inf\perflib\0405\perfi.dat
2007-01-08 21:07:39 286912 ----a-w- c:\windows\inf\perflib\0405\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:54:17,00 ===============
DDS:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 27.9.2008 20:48:05
System Uptime: 17.11.2009 18:40:16 (0 hours ago)

Motherboard: EMACHINES | | Rhine
Processor: Intel(R) Celeron(R) CPU 560 @ 2.13GHz | uPGA-478 | 2127/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 41,049 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5 - Czech
Adobe Shockwave Player 11.5
aTube Catcher 1.0
AviSynth 2.5
CCleaner (remove only)
Codec Pack - All In 1 6.0.3.0
DAEMON Tools Toolbar
GameSpy Arcade
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ICQ Toolbar
ICQ6.5
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 10
Java(TM) 6 Update 6
K-Lite Codec Pack 4.1.4 (Standard)
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (Czech) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Czech) 2007
Microsoft Office Groove MUI (Czech) 2007
Microsoft Office InfoPath MUI (Czech) 2007
Microsoft Office OneNote MUI (Czech) 2007
Microsoft Office Outlook MUI (Czech) 2007
Microsoft Office PowerPoint MUI (Czech) 2007
Microsoft Office PowerPoint Viewer 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (Czech) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Slovak) 2007
Microsoft Office Proofing (Czech) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (Czech) 2007
Microsoft Office Shared MUI (Czech) 2007
Microsoft Office Word MUI (Czech) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MP3 To Wave Maker Plus 2.8
MSXML 4.0 SP2 (KB954430)
Nero 9 Essentials
Nero Suite
neroxml
Power Audio Video DVD Converter 2.3
PowerDVD
QIP 2005 Uninstall
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
SPORE™
Spyware Terminator
SysMetrix 3.41
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb975960)
Vista x86 OneClick Activator
WinRAR
Worms 3D

==== End Of File ===========================

Vyzera to tak, ze si dalsi s tym novy TDL3 rootkitom :/

Stiahni ComboFix, najlepsie na plochu. Vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall. Spust program cez ucet s administratorskymi pravami a postupuj podla instrukcii. Cely sken bude trvat cca 10 minut. Pocas neho moze byt PC restartovane. Log, ktory ComboFix vytvori, najdes na adrese "C:\ComboFix.txt".
Ten vloz sem.

Pozor: Kym ComboFix nevytvori log, na nic neklikat, nic nestlacat !!

tak ComboFix nainstaluju i spustím. otevře se okno že proces může trvat 10 min. atd., ale potom čekám a čekám a ... po půl hodině jsem to vzdal a zkusil ComboFix odinstalovat a nainstalovat znovu a stále čekám...

Stiahni SystemLook. Uloz na plochu a spust. Do okna skopiruj:
Klikni na "Look" a nechaj program dokoncit scan. Po jeho skonceni sa ti zobrazi log, ktory potrebujem vidiet. V pripade problemov sa nachadza aj na ploche.

Tady je log:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 19:29 on 18/11/2009 by uživatel (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\Windows.old\Windows\system32\dllcache\atapi.sys --a--c 95360 bytes [22:59 03/08/2004] [20:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\Windows.old\Windows\system32\drivers\atapi.sys --a--- 95360 bytes [22:59 03/08/2004] [20:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\Windows.old\Windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys --a--- 95360 bytes [00:35 25/09/2008] [22:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\Windows.old\Windows\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys --a--- 95360 bytes [00:35 25/09/2008] [20:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\Windows\SoftwareDistribution\Download\ed4622e5538dd0902b6f6f3592a40a49\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [22:03 15/11/2009] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\drivers\atapi.sys --a--- 19048 bytes [08:51 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F

-=End Of File=-

OK. Skusime to inak:

Presun ikonu CF na plochu, vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall a otvor poznamkovy blok. Donho skopiruj:
Uloz na plochu ako CFScript.txt a mysou pretiahni nad ikonou CF.



Program script spracuje a spravi novy log.


Pozor: Ak po aplikacii skriptu nenabehne Windows, restartuj PC, stlac F8 a zvol Poslednu znamu funkcnu konfiguraciu.

tak to dopadne úplně stejně jen s tím rozdílem, že napíše vytvářím bod obnovení a potom si stahuje soubory z registrů. potom napíše vyhledávám nakažené soubory atd. procesor pracuje tak 5min a pak nic...

Tak este skus tento CFScript:

tak konečně log:

ComboFix 09-11-20.05 - uživatel 21.11.2009 17:29.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1250.420.1029.18.1013.131 [GMT 1:00]
Spuštěný z: c:\users\uživatel\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\uživatel\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REŽIM S OMEZENOU FUNKČNOSTÍ -
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2365545147-1999384947-2466353664-500
c:\$recycle.bin\S-1-5-21-2365545147-1999384947-2466353664-500\desktop.ini

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-10-21 do 2009-11-21 )))))))))))))))))))))))))))))))
.

2009-11-21 16:30 . 2009-11-21 16:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-15 22:46 . 2009-11-21 16:29 4096 d-----w- c:\program files\SysMetrix
2009-11-15 20:14 . 2009-11-15 20:15 -------- d-----w- c:\program files\trend micro
2009-11-15 20:14 . 2009-11-15 20:15 -------- d-----w- C:\rsit
2009-11-15 18:39 . 2009-11-15 18:43 -------- d-----w- C:\54af84ef5c9fa257dcd4c3fc1b
2009-11-15 12:05 . 2009-11-15 12:05 -------- d-----w- c:\program files\MSXML 4.0
2009-11-14 19:40 . 2009-11-14 19:40 -------- d-----w- C:\PerfLogs
2009-11-14 19:06 . 2009-11-14 20:50 -------- d-----w- C:\b99227bf80db09a4a0ec
2009-11-14 18:32 . 2009-11-14 18:56 -------- d-----w- c:\programdata\Nero
2009-11-11 14:06 . 2009-08-14 14:01 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 14:05 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 12:02 . 2007-01-08 21:10 82594 ----a-w- c:\windows\system32\perfc005.dat
2009-11-21 12:02 . 2007-01-08 21:10 476852 ----a-w- c:\windows\system32\perfh005.dat
2009-11-15 19:51 . 2008-09-28 19:55 4096 d-----w- c:\program files\Common Files\InstallShield
2009-11-15 19:51 . 2008-09-28 17:04 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-11-14 20:47 . 2006-11-02 12:35 4096 d-----w- c:\program files\Windows Sidebar
2009-11-14 20:47 . 2006-11-02 12:35 4096 d-----w- c:\program files\Windows Photo Gallery
2009-11-14 20:47 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-14 18:57 . 2008-09-28 20:47 4096 d-----w- c:\program files\Common Files\Nero
2009-11-12 08:32 . 2008-11-29 13:12 12288 d-----w- c:\programdata\Microsoft Help
2009-11-02 19:42 . 2009-10-03 08:05 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-14 09:50 . 2009-10-14 09:02 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:38 . 2009-10-14 09:03 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:38 . 2009-10-14 09:02 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-27 05:22 . 2009-10-14 09:02 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 09:02 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 09:02 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 09:02 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-02-01 1232896]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-04 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-22 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-26 136600]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-09-27 1817600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SysMetrix"="c:\program files\SysMetrix\SysMetrix.exe" [2006-02-25 2637824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1847906231-1111854856-2069546849-1000]
"EnableNotificationsRef"=dword:00000001

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\System32\drivers\sp_rsdrv2.sys [27.9.2008 17:29 141312]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [15.7.2009 17:06 222968]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [27.9.2008 14:56 180736]
S0 OemBiosDevice;Royalty OEM Bios Extension;c:\windows\System32\drivers\royal.sys [27.9.2008 14:50 240128]
S3 PAC207;SoC PC-Camera;c:\windows\System32\drivers\PFC027.SYS [5.12.2006 11:34 507136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8db3248c-8d7b-11dd-880a-001eec4e46d7}]
\shell\AutoRun\command - E:\SETUP.EXE
\shell\configure\command - E:\SETUP.EXE
\shell\install\command - E:\SETUP.EXE
.
Obsah adresáře 'Naplánované úlohy'

2009-11-21 c:\windows\Tasks\User_Feed_Synchronization-{84704B8C-0964-47DD-9A21-3C458AC93B4F}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\uživatel\AppData\Roaming\Mozilla\Firefox\Profiles\hvojm8tx.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.centrum.cz/skinit/icq/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-{0c0274fb-3978-4241-bcf0-d459bb4b0fe7} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-21 17:35
Windows 6.0.6000 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x842B61F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8244dd1f
\Driver\ACPI -> acpi.sys @ 0x804439d6
\Driver\atapi -> 0x842b61f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1847906231-1111854856-2069546849-1000\Software\SecuROM\License information*]
"datasecu"=hex:3d,f7,79,f8,3f,b0,d4,da,f0,90,75,47,fa,ea,17,a3,69,9e,c5,e9,ca,
d2,b7,3d,ef,35,6a,85,33,3b,67,54,1a,d9,33,11,15,63,5e,94,b6,6f,5d,c6,03,0a,\
"rkeysecu"=hex:ba,a2,66,16,c2,76,5f,05,9f,1d,ed,13,97,16,a4,4a
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Celkový čas: 2009-11-21 17:42 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-11-21 16:42

Před spuštěním: Volných bajtů: 40 320 421 888
Po spuštění: Volných bajtů: 42 544 340 992

- - End Of File - - C33AF4A8F3E4467CC2ABBAD704E21C66

ještě mi to po spuštění Combofixu psalo:WARNING!!SPTD IS INSTALLED AND RUNNING ON THIS MACHINE. COMBOFIX NEEDS TO TEMPORARILY DISABLE SPTD. apotom se restartoval pc. po restartu naběhlo okno combofixu a poté okno Daemon tools lite: INITIALIZATION ERROR 2. THI OR HIDHER PROGRAM REGUIRES AT LEAST WINDOWS 2000 LITH SPTD 1.53 OR HIGHER. KERNEL DEBUGGER MUST BE DEACTIVATED. a toto okno nabíhá při každém zapnutí pc.

1) Odinstaluj Daemon (Start -> Ovl. Panel -> Pridat/Odstranit Programy).
Ak by to neslo, pouzi Revo Uninstaller.


2) Stiahni SPTD, uloz na plochu a spust. Zvol moznost "Uninstall" a restartuj PC.