VIRY.CZ

Dobry den

Windows pozaduje antispyware, viem ze je to nejaka zla aplikacia a neviem sa toho zbavit, uz som sa s tym niekde stretol a aj som to poriesil ale len vdaka tomuto foru, tak Vas znova prosim o pomoc. Ide o PC mojho kamarata ktory si nevie dat pozor

Tu je log z RSITu:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Beata Luštiakova at 2010-01-18 18:20:10
Systém Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 28 GB (36%) free of 78 GB
Total RAM: 255 MB (32% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:20:27, on 18.1.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Documents and Settings\Beata Luštiakova\Application Data\pcpriv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Documents and Settings\All Users\Ponuka Štart\Programy\Pri spustení\autorun.exe
C:\WINDOWS\system32\cidaemon.exe
F:\Udrzba\RSIT.exe
F:\Udrzba\HijackThis\Beata Luštiakova.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestyourmeds.com/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [GSCNS387] C:\Documents and Settings\Beata Luštiakova\Application Data\pcpriv.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab

--
End of file - 4812 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055FD26D-3A88-4e15-963D-DC8493744B1D}]
XTTBPos00 Class - C:\PROGRA~1\ICQTOO~1\toolbaru.dll [2006-12-25 701952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2005-09-27 770048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2005-09-27 770048]
{855F3B16-6D32-4fe6-8A56-BBB695989046} - ICQ Toolbar - C:\PROGRA~1\ICQTOO~1\toolbaru.dll [2006-12-25 701952]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SW20"=C:\WINDOWS\system32\sw20.exe [2005-06-29 212992]
"SW24"=C:\WINDOWS\system32\sw24.exe [2005-07-04 69632]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-06-15 86016]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC []
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC []
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName []
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd []
"DAEMON Tools-1033"=C:\Program Files\D-Tools\daemon.exe [2004-03-12 81920]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2003-12-13 33792]
"GSCNS387"=C:\Documents and Settings\Beata Luštiakova\Application Data\pcpriv.exe [2005-12-30 397824]
"Printer"=C:\WINDOWS\system32\printer.exe [2007-05-26 81920]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NBJ"=C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2005-02-11 1937408]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"ICQ"=C:\Program Files\ICQ6\ICQ.exe [2008-08-24 173304]
"Spoolsv"=C:\WINDOWS\system32\spoolvs.exe [2007-05-26 81920]

C:\Documents and Settings\All Users\Ponuka Štart\Programy\Pri spustení
autorun.exe

C:\Documents and Settings\Beata Luštiakova\Start Menu\Programs\Startup
findfast.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoControlPanel"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Quake III Arena\quake3.exe"="C:\Program Files\Quake III Arena\quake3.exe:*:Enabled:quake3"
"C:\Hry\Warcraft III\Warcraft III.exe"="C:\Hry\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\Hry\Warcraft III\War3.exe"="C:\Hry\Warcraft III\War3.exe:*:Enabled:Warcraft III"
"C:\Hry\Need For Speed Hot Pursuit 2\NfsHP2.ori"="C:\Hry\Need For Speed Hot Pursuit 2\NfsHP2.ori:*:Disabled:NfsHP2"
"C:\Program Files\Infogrames\Trophy Hunter 2003\TH2003.exe"="C:\Program Files\Infogrames\Trophy Hunter 2003\TH2003.exe:*:Enabled:TH2003"
"C:\Program Files\EA GAMES\Need for Speed Underground 2\speed2.exe"="C:\Program Files\EA GAMES\Need for Speed Underground 2\speed2.exe:*:Disabled:speed2"
"C:\Program Files\THQ\MotoGP URT 3\motogp.exe"="C:\Program Files\THQ\MotoGP URT 3\motogp.exe:*:Enabled:motogp"
"C:\Program Files\ICQ6\ICQ.exe"="C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\Documents and Settings\Beata Luštiakova\Application Data\printer.exe"="C:\Documents and Settings\Beata Luštiakova\Application Data\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\system32\winav.exe"="%windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\pcpriv.exe"="C:\Documents and Settings\Beata Luštiakova\Application Data\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\syscleaner"="C:\Documents and Settings\Beata Luštiakova\Application Data\syscleaner:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\36108.exe"="C:\Documents and Settings\Beata Luštiakova\Application Data\36108.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\31838.exe"="C:\Documents and Settings\Beata Luštiakova\Application Data\31838.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\All Users\Ponuka Štart\Programy\Pri spustení\autorun.exe"="C:\Documents and Settings\All Users\Ponuka Štart\Programy\Pri spustení\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\printer.exe"="C:\WINDOWS\system32\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\spoolvs.exe"="C:\WINDOWS\system32\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\shell.exe"="C:\WINDOWS\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Start Menu\Programs\Startup\findfast.exe"="C:\Documents and Settings\Beata Luštiakova\Start Menu\Programs\Startup\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\mcrupdate.exe"="C:\Documents and Settings\Beata Luštiakova\Application Data\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\printer.exe"="C:\Documents and Settings\Beata Luštiakova\Application Data\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\system32\winav.exe"="%windir%\system32\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\pcpriv.exe"="C:\Documents and Settings\Beata Luštiakova\Application Data\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\syscleaner"="C:\Documents and Settings\Beata Luštiakova\Application Data\syscleaner:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\36108.exe"="C:\Documents and Settings\Beata Luštiakova\Application Data\36108.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\31838.exe"="C:\Documents and Settings\Beata Luštiakova\Application Data\31838.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\All Users\Ponuka Štart\Programy\Pri spustení\autorun.exe"="C:\Documents and Settings\All Users\Ponuka Štart\Programy\Pri spustení\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\printer.exe"="C:\WINDOWS\system32\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\spoolvs.exe"="C:\WINDOWS\system32\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\shell.exe"="C:\WINDOWS\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Start Menu\Programs\Startup\findfast.exe"="C:\Documents and Settings\Beata Luštiakova\Start Menu\Programs\Startup\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Beata Luštiakova\Application Data\mcrupdate.exe"="C:\Documents and Settings\Beata Luštiakova\Application Data\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-01-18 18:20:10 ----D---- C:\rsit
2010-01-18 17:50:46 ----A---- C:\WINDOWS\system32\spoolvs.exe
2010-01-18 17:50:46 ----A---- C:\WINDOWS\shell.exe
2010-01-18 17:50:45 ----A---- C:\WINDOWS\system32\printer.exe
2010-01-18 17:47:26 ----A---- C:\WINDOWS\system32\mdimon.dll
2010-01-18 17:44:56 ----D---- C:\Program Files\Microsoft.NET
2010-01-18 17:43:02 ----D---- C:\Program Files\Common Files\DESIGNER
2010-01-18 17:41:52 ----D---- C:\WINDOWS\SHELLNEW
2010-01-18 17:25:41 ----RHD---- C:\MSOCache
2010-01-18 17:24:56 ----D---- C:\World03
2010-01-18 16:27:34 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

======List of files/folders modified in the last 1 months======

2010-01-18 18:20:15 ----D---- C:\WINDOWS\Prefetch
2010-01-18 17:50:46 ----D---- C:\WINDOWS\system32
2010-01-18 17:50:46 ----D---- C:\WINDOWS
2010-01-18 17:50:32 ----D---- C:\WINDOWS\Temp
2010-01-18 17:49:19 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-18 17:48:41 ----D---- C:\WINDOWS\system32\drivers
2010-01-18 17:47:50 ----SHD---- C:\WINDOWS\Installer
2010-01-18 17:47:46 ----SHD---- C:\Config.Msi
2010-01-18 17:47:45 ----A---- C:\WINDOWS\ODBC.INI
2010-01-18 17:46:20 ----A---- C:\WINDOWS\win.ini
2010-01-18 17:45:36 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-01-18 17:45:27 ----RSD---- C:\WINDOWS\Fonts
2010-01-18 17:44:56 ----RD---- C:\Program Files
2010-01-18 17:43:15 ----D---- C:\Program Files\Microsoft Office
2010-01-18 17:43:02 ----AD---- C:\Program Files\Common Files
2010-01-18 17:42:55 ----HD---- C:\WINDOWS\inf
2010-01-18 17:42:01 ----D---- C:\Program Files\Common Files\System
2010-01-18 17:41:43 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-01-18 17:25:49 ----D---- C:\WINDOWS\system
2010-01-18 17:22:04 ----D---- C:\Program Files\altcmd
2010-01-18 15:49:34 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-17 18:02:02 ----D---- C:\Program Files\ICQToolbar
2010-01-17 17:59:40 ----D---- C:\Program Files\Mozilla Firefox
2010-01-16 19:31:59 ----D---- C:\WINDOWS\security

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2004-08-09 53920]
R2 athsgt;athsgt; C:\WINDOWS\system32\DRIVERS\athsgt.sys [2007-01-18 164992]
R2 limsgt;limsgt; C:\WINDOWS\system32\DRIVERS\limsgt.sys [2007-01-18 12544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2004-08-23 821760]
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5b.sys [2004-01-09 42496]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056]
S3 axvdkbus;axvdkbus; C:\WINDOWS\system32\DRIVERS\axvdkbus.sys [2003-02-25 8672]
S3 axvodka;axvodka; C:\WINDOWS\system32\DRIVERS\axvodka.sys [2003-02-27 102272]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys []
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 58288]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-02-17 85408]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys []
S3 sermouse;Serial Mouse Driver; C:\WINDOWS\system32\DRIVERS\sermouse.sys [2001-08-17 17664]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2004-08-10 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-10 38912]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------




dakujem za pomoc

Dejte log z ComboFix.

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim s rezidentem antispyware

Spustil som combofix a ukazalo mi toto:

Mam stiahnut ut vec a zopakovat proces?
(kedze je to kamosov PC a mam ho tu doma, nieje mozne ho napojit na internet iba ak stiahnut na moj PC a usb klucom preniest->nainstalovat)

Tu je log:

ComboFix 10-01-17.04 - Beata Luštiakova 18.01.2010 18:40:08.1.1 - x86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.421.1033.18.255.110 [GMT 1:00]
Running from: c:\documents and settings\Beata Luštiakova\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 68 bytes in 1 streams.
ADS - explorer.exe: deleted 132 bytes in 1 streams.
ADS - win32k.sys: deleted 68 bytes in 1 streams.
ADS - netcfgx.dll: deleted 100 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Beata Luštiakova\Application Data\45610.exe
c:\documents and settings\Beata Luštiakova\Application Data\9427.exe
c:\program files\altcmd
c:\program files\altcmd\uninstall.bat
c:\recycler\S-1-5-21-2025429265-299502267-725345543-1003
c:\windows\shell.exe
c:\windows\system32\printer.exe
c:\windows\system32\spoolvs.exe

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-18 17:20 . 2010-01-18 17:20 -------- d-----w- C:\rsit
2010-01-18 16:47 . 2003-06-19 00:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-18 16:47 . 2003-06-19 00:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-18 16:44 . 2010-01-18 16:44 -------- d-----w- c:\program files\Microsoft.NET
2010-01-18 16:41 . 2010-01-18 16:44 -------- d-----w- c:\windows\SHELLNEW
2010-01-18 16:25 . 2010-01-18 16:25 -------- d-----r- C:\MSOCache
2010-01-18 16:24 . 2010-01-18 16:25 -------- d-----w- C:\World03
2010-01-18 15:27 . 2010-01-18 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 17:02 . 2008-02-21 21:18 -------- d-----w- c:\program files\ICQToolbar
2006-12-29 09:41 . 2006-12-29 09:41 0 ----a-w- c:\program files\Common Files\dht342
2005-10-01 15:35 . 2005-10-01 15:35 8 --sh--r- c:\windows\system32\5144E092F1.sys
2005-09-27 13:37 . 2005-09-27 13:37 56 --sha-r- c:\windows\system32\AB627DEE07.sys
2005-10-01 15:35 . 2005-09-27 13:37 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2004-08-04 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-11 1937408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ICQ"="c:\program files\ICQ6\ICQ.exe" [2008-08-24 173304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="c:\windows\system32\sw20.exe" [2005-06-29 212992]
"SW24"="c:\windows\system32\sw24.exe" [2005-07-04 69632]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-12 81920]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"GSCNS387"="c:\documents and settings\Beata Luštiakova\Application Data\pcpriv.exe" [2005-12-30 397824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Beata Luçtiakova\Start Menu\Programs\Startup\
findfast.exe [2007-5-18 81920]

c:\documents and settings\All Users\Ponuka ćtart\Programy\Pri spustenˇ\
autorun.exe [2007-5-19 81920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Infogrames\\Trophy Hunter 2003\\TH2003.exe"=
"c:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe"=
"c:\\Program Files\\THQ\\MotoGP URT 3\\motogp.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Application Data\\pcpriv.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Application Data\\syscleaner"=
"c:\\Documents and Settings\\All Users\\Ponuka Štart\\Programy\\Pri spustení\\autorun.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Start Menu\\Programs\\Startup\\findfast.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Application Data\\mcrupdate.exe"=

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [15.1.2007 11:24 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [15.1.2007 11:24 5248]
R2 athsgt;athsgt;c:\windows\system32\drivers\athsgt.sys [18.1.2007 14:42 164992]
R2 limsgt;limsgt;c:\windows\system32\drivers\limsgt.sys [18.1.2007 14:42 12544]
S3 axvdkbus;axvdkbus;c:\windows\system32\drivers\axvdkbus.sys [25.2.2003 19:43 8672]
S3 axvodka;axvodka;c:\windows\system32\drivers\axvodka.sys [27.2.2003 17:50 102272]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [17.3.2007 13:02 58288]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [17.3.2007 13:05 85408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://bestyourmeds.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Beata Luštiakova\Application Data\Mozilla\Firefox\Profiles\duwskpzf.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.zoznam.sk
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MSPY2002 - c:\windows\system32\IME\PINTLGNT\ImScInst.exe
HKLM-Run-PHIME2002ASync - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-PHIME2002A - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-Cmaudio - cmicnfg.cpl
AddRemove-HijackThis - f:\udrzba\HijackThis\HijackThis.exe
AddRemove-LANGMaster eduExplorer - c:\program files\LANGMaster\Explorer\EpaExplorer.exe
AddRemove-Quake III Arena - c:\program files\Quake III Arena\QIII.isu
AddRemove-{76F4DD9B-C246-4BE0-00B6-3DE9ABF72299} - c:\hry\Need For Speed Hot Pursuit 2\EAUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 18:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8177F008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf99abfc3
\Driver\ACPI -> ACPI.sys @ 0xf9817cb8
\Driver\atapi -> 0x8177f008
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3499834959-563758996-1140386757-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-01-18 18:52:58
ComboFix-quarantined-files.txt 2010-01-18 17:52

Pre-Run: 31 518 490 624 bytes free
Post-Run: 18 adresárov, 32 045 064 192 voľných bajtov

- - End Of File - - EA31D8B98AAF16AD51619BE591700F66

Toto je OK, instalace Recovery console není třeba. Ještě dočistíme. Otevřte poznámkový blok a zkopírujte do něj:

Collect::
c:\windows\system32\5144E092F1.sys
c:\windows\system32\AB627DEE07.sys
c:\documents and settings\Beata Luštiakova\Application Data\pcpriv.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GSCNS387"=-

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

Log:

ComboFix 10-01-17.04 - Beata Luštiakova 18.01.2010 20:04:11.2.1 - x86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.421.1033.18.255.108 [GMT 1:00]
Running from: c:\documents and settings\Beata Luštiakova\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Beata Luštiakova\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

file zipped: c:\documents and settings\Beata Luštiakova\Application Data\pcpriv.exe
file zipped: c:\windows\system32\5144E092F1.sys
file zipped: c:\windows\system32\AB627DEE07.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Beata Luštiakova\Application Data\pcpriv.exe
c:\windows\shell.exe
c:\windows\system32\5144E092F1.sys
c:\windows\system32\AB627DEE07.sys
c:\windows\system32\printer.exe
c:\windows\system32\spoolvs.exe

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-18 17:20 . 2010-01-18 17:20 -------- d-----w- C:\rsit
2010-01-18 16:47 . 2003-06-19 00:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-18 16:47 . 2003-06-19 00:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-18 16:44 . 2010-01-18 16:44 -------- d-----w- c:\program files\Microsoft.NET
2010-01-18 16:41 . 2010-01-18 16:44 -------- d-----w- c:\windows\SHELLNEW
2010-01-18 16:25 . 2010-01-18 16:25 -------- d-----r- C:\MSOCache
2010-01-18 16:24 . 2010-01-18 16:25 -------- d-----w- C:\World03
2010-01-18 15:27 . 2010-01-18 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 17:02 . 2008-02-21 21:18 -------- d-----w- c:\program files\ICQToolbar
2006-12-29 09:41 . 2006-12-29 09:41 0 ----a-w- c:\program files\Common Files\dht342
2005-10-01 15:35 . 2005-09-27 13:37 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2004-08-04 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-11 1937408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ICQ"="c:\program files\ICQ6\ICQ.exe" [2008-08-24 173304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="c:\windows\system32\sw20.exe" [2005-06-29 212992]
"SW24"="c:\windows\system32\sw24.exe" [2005-07-04 69632]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-12 81920]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Beata Luçtiakova\Start Menu\Programs\Startup\
findfast.exe [2007-5-18 81920]

c:\documents and settings\All Users\Ponuka ćtart\Programy\Pri spustenˇ\
autorun.exe [2007-5-25 81920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Infogrames\\Trophy Hunter 2003\\TH2003.exe"=
"c:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe"=
"c:\\Program Files\\THQ\\MotoGP URT 3\\motogp.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Application Data\\syscleaner"=
"c:\\Documents and Settings\\All Users\\Ponuka Štart\\Programy\\Pri spustení\\autorun.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Start Menu\\Programs\\Startup\\findfast.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Application Data\\mcrupdate.exe"=

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [15.1.2007 11:24 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [15.1.2007 11:24 5248]
R2 athsgt;athsgt;c:\windows\system32\drivers\athsgt.sys [18.1.2007 14:42 164992]
R2 limsgt;limsgt;c:\windows\system32\drivers\limsgt.sys [18.1.2007 14:42 12544]
S3 axvdkbus;axvdkbus;c:\windows\system32\drivers\axvdkbus.sys [25.2.2003 19:43 8672]
S3 axvodka;axvodka;c:\windows\system32\drivers\axvodka.sys [27.2.2003 17:50 102272]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [17.3.2007 13:02 58288]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [17.3.2007 13:05 85408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://bestyourmeds.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Beata Luštiakova\Application Data\Mozilla\Firefox\Profiles\duwskpzf.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.zoznam.sk
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 20:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81742708]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf99abfc3
\Driver\ACPI -> ACPI.sys @ 0xf9817cb8
\Driver\atapi -> 0x81742708
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3499834959-563758996-1140386757-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-01-18 20:12:33
ComboFix-quarantined-files.txt 2010-01-18 19:12
ComboFix2.txt 2010-01-18 17:52

Pre-Run: 32 046 706 688 bytes free
Post-Run: 18 adresárov, 32 018 128 896 voľných bajtov

- - End Of File - - 9C0760D183CC1555AA492C104706DD00

Spusťte ještě jednou tímto skriptem:

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\DRIVERS\atapi.sys

Mbr::

ComboFix 10-01-17.04 - Beata Luštiakova 18.01.2010 20:36:23.3.1 - x86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.421.1033.18.255.108 [GMT 1:00]
Running from: c:\documents and settings\Beata Luštiakova\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Beata Luštiakova\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\shell.exe
c:\windows\system32\printer.exe
c:\windows\system32\spoolvs.exe

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-18 17:20 . 2010-01-18 17:20 -------- d-----w- C:\rsit
2010-01-18 16:47 . 2003-06-19 00:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-18 16:47 . 2003-06-19 00:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-18 16:44 . 2010-01-18 16:44 -------- d-----w- c:\program files\Microsoft.NET
2010-01-18 16:41 . 2010-01-18 16:44 -------- d-----w- c:\windows\SHELLNEW
2010-01-18 16:25 . 2010-01-18 16:25 -------- d-----r- C:\MSOCache
2010-01-18 16:24 . 2010-01-18 16:25 -------- d-----w- C:\World03
2010-01-18 15:27 . 2010-01-18 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 17:02 . 2008-02-21 21:18 -------- d-----w- c:\program files\ICQToolbar
2006-12-29 09:41 . 2006-12-29 09:41 0 ----a-w- c:\program files\Common Files\dht342
2005-10-01 15:35 . 2005-09-27 13:37 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2004-08-04 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-11 1937408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ICQ"="c:\program files\ICQ6\ICQ.exe" [2008-08-24 173304]
"Spoolsv"="c:\windows\system32\spoolvs.exe" [2007-05-25 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="c:\windows\system32\sw20.exe" [2005-06-29 212992]
"SW24"="c:\windows\system32\sw24.exe" [2005-07-04 69632]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-12 81920]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"Printer"="c:\windows\system32\printer.exe" [2007-05-25 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Beata Luçtiakova\Start Menu\Programs\Startup\
findfast.exe [2007-5-18 81920]

c:\documents and settings\All Users\Ponuka ćtart\Programy\Pri spustenˇ\
autorun.exe [2007-5-25 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe c:\windows\shell.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Infogrames\\Trophy Hunter 2003\\TH2003.exe"=
"c:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe"=
"c:\\Program Files\\THQ\\MotoGP URT 3\\motogp.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Application Data\\syscleaner"=
"c:\\Documents and Settings\\All Users\\Ponuka Štart\\Programy\\Pri spustení\\autorun.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Start Menu\\Programs\\Startup\\findfast.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Application Data\\mcrupdate.exe"=
"c:\\WINDOWS\\system32\\printer.exe"=
"c:\\WINDOWS\\system32\\spoolvs.exe"=
"c:\\WINDOWS\\shell.exe"=
"%windir%\\system32\\winav.exe"=

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [15.1.2007 11:24 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [15.1.2007 11:24 5248]
R2 athsgt;athsgt;c:\windows\system32\drivers\athsgt.sys [18.1.2007 14:42 164992]
R2 limsgt;limsgt;c:\windows\system32\drivers\limsgt.sys [18.1.2007 14:42 12544]
S3 axvdkbus;axvdkbus;c:\windows\system32\drivers\axvdkbus.sys [25.2.2003 19:43 8672]
S3 axvodka;axvodka;c:\windows\system32\drivers\axvodka.sys [27.2.2003 17:50 102272]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [17.3.2007 13:02 58288]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [17.3.2007 13:05 85408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://bestyourmeds.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Beata Luštiakova\Application Data\Mozilla\Firefox\Profiles\duwskpzf.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.zoznam.sk
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 20:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x817353D8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf99abfc3
\Driver\ACPI -> ACPI.sys @ 0xf9817cb8
\Driver\atapi -> 0x817353d8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3499834959-563758996-1140386757-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\COMRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\All Users\Ponuka Štart\Programy\Pri spustení\autorun.exe
c:\documents and settings\Beata Luštiakova\Start Menu\Programs\Startup\findfast.exe
.
**************************************************************************
.
Completion time: 2010-01-18 20:48:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-18 19:48
ComboFix2.txt 2010-01-18 19:12
ComboFix3.txt 2010-01-18 17:52

Pre-Run: 32 018 378 752 bytes free
Post-Run: 18 adresárov, 31 990 779 904 voľných bajtov

- - End Of File - - BFD9AD2435C08A4C38F7E69A966D6D5B

Tak bohužel ještě jednou. Soubor atapi.sys stáhněte odtud: http://www.edisk.cz/stahni/86168/atapi.rar_10.99KB.htm a rozbalte ho na plochu. Pak spusťte CF tímto skriptem:

FCopy::
c:\documents and settings\Beata Luštiakova\Desktop\atapi.sys | c:\windows\system32\DRIVERS\atapi.sys

bohuzial, nejde mi stiahnut ten subor z edisku

Přiložil jsem ho k příspěvku.

edit: po restarte PC dava pocitac na vyber Smustenie windows noramlne, safemod atd... Ked tak mohol by som premiestnit jeho disk na moj a nieco napravit, pretoze nejde ziaden mod
edit2: podarilo sa mi bootnut winXP CD, mam to skusit repairnut?

ComboFix 10-01-17.04 - Beata Luštiakova 19.01.2010 18:45:18.4.1 - x86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.421.1033.18.255.106 [GMT 1:00]
Running from: c:\documents and settings\Beata Luštiakova\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Beata Luštiakova\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\shell.exe
c:\windows\system32\printer.exe
c:\windows\system32\spoolvs.exe

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!!

.
--------------- FCopy ---------------

c:\documents and settings\Beata Luštiakova\Desktop\atapi.sys --> c:\windows\system32\DRIVERS\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-18 17:20 . 2010-01-18 17:20 -------- d-----w- C:\rsit
2010-01-18 16:47 . 2003-06-19 00:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-18 16:47 . 2003-06-19 00:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-18 16:44 . 2010-01-18 16:44 -------- d-----w- c:\program files\Microsoft.NET
2010-01-18 16:41 . 2010-01-18 16:44 -------- d-----w- c:\windows\SHELLNEW
2010-01-18 16:25 . 2010-01-18 16:25 -------- d-----r- C:\MSOCache
2010-01-18 16:24 . 2010-01-18 16:25 -------- d-----w- C:\World03
2010-01-18 15:27 . 2010-01-18 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 17:02 . 2008-02-21 21:18 -------- d-----w- c:\program files\ICQToolbar
2006-12-29 09:41 . 2006-12-29 09:41 0 ----a-w- c:\program files\Common Files\dht342
2005-10-01 15:35 . 2005-09-27 13:37 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-01-18_17.48.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2009-07-14 01:26 21584 c:\windows\system32\dllcache\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-11 1937408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ICQ"="c:\program files\ICQ6\ICQ.exe" [2008-08-24 173304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="c:\windows\system32\sw20.exe" [2005-06-29 212992]
"SW24"="c:\windows\system32\sw24.exe" [2005-07-04 69632]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-12 81920]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Beata Luçtiakova\Start Menu\Programs\Startup\
findfast.exe [2007-5-21 81920]

c:\documents and settings\All Users\Ponuka ćtart\Programy\Pri spustenˇ\
autorun.exe [2007-5-21 81920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Infogrames\\Trophy Hunter 2003\\TH2003.exe"=
"c:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe"=
"c:\\Program Files\\THQ\\MotoGP URT 3\\motogp.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Application Data\\syscleaner"=
"c:\\Documents and Settings\\All Users\\Ponuka Štart\\Programy\\Pri spustení\\autorun.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Start Menu\\Programs\\Startup\\findfast.exe"=
"c:\\Documents and Settings\\Beata Luštiakova\\Application Data\\mcrupdate.exe"=

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [15.1.2007 11:24 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [15.1.2007 11:24 5248]
R2 athsgt;athsgt;c:\windows\system32\drivers\athsgt.sys [18.1.2007 14:42 164992]
R2 limsgt;limsgt;c:\windows\system32\drivers\limsgt.sys [18.1.2007 14:42 12544]
S3 axvdkbus;axvdkbus;c:\windows\system32\drivers\axvdkbus.sys [25.2.2003 19:43 8672]
S3 axvodka;axvodka;c:\windows\system32\drivers\axvodka.sys [27.2.2003 17:50 102272]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [17.3.2007 13:02 58288]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [17.3.2007 13:05 85408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://bestyourmeds.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Beata Luštiakova\Application Data\Mozilla\Firefox\Profiles\duwskpzf.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.zoznam.sk
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 18:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x818DF790]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf99abfc3
\Driver\ACPI -> ACPI.sys @ 0xf9817cb8
\Driver\atapi -> 0x818df790
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3499834959-563758996-1140386757-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-01-19 18:54:13
ComboFix-quarantined-files.txt 2010-01-19 17:54
ComboFix2.txt 2010-01-18 19:48
ComboFix3.txt 2010-01-18 19:12
ComboFix4.txt 2010-01-18 17:52

Pre-Run: 32 160 714 752 bytes free
Post-Run: 18 adresárov, 32 133 816 320 voľných bajtov

- - End Of File - - 413CD1C6D56C2E134ADF8439A5F48846

Je tam asi skrytý nějaký zmetek. Soubor atapi sys se po nakopírování okamžitě zaviruje. Udělejte sken AVPTool a smažte vše, co najde: http://www.viry.cz/forum/viewtopic.php?f=29&t=58179 .

co s tymto?

edit: po restarte PC dava pocitac na vyber Smustenie windows noramlne, safemod atd... Ked tak mohol by som premiestnit jeho disk na moj a nieco napravit, pretoze nejde ziaden mod
edit2: podarilo sa mi bootnut winXP CD, mam to skusit repairnut?

Můžete zkusit.

A nie jeden

Autoscan: completed 8 minutes ago (events: 14, objects: 235183, time: 01:02:24)
19.1.2010 21:12:43 Task started
19.1.2010 21:20:06 Detected: not-a-virus:FraudTool.Win32.PC-AntiSpy.heur C:\Documents and Settings\Beata Luštiakova\Application Data\syscleaner
19.1.2010 21:20:55 Deleted: not-a-virus:FraudTool.Win32.PC-AntiSpy.heur C:\Documents and Settings\Beata Luštiakova\Application Data\syscleaner
19.1.2010 22:01:20 Detected: Trojan.Win32.Scar.rli C:\Qoobox\Quarantine\C\WINDOWS\shell.exe.vir
19.1.2010 22:01:23 Detected: Trojan-Downloader.Win32.FraudLoad.vbox C:\Qoobox\Quarantine\[4]-Submit_2010-01-18_20.04.04.zip/pcpriv.exe/PE_Patch.PECompact/PecBundle/PECompact
19.1.2010 22:01:25 Deleted: Trojan-Downloader.Win32.FraudLoad.vbox C:\Qoobox\Quarantine\[4]-Submit_2010-01-18_20.04.04.zip/pcpriv.exe
19.1.2010 22:02:34 Deleted: Trojan.Win32.Scar.rli C:\Qoobox\Quarantine\C\WINDOWS\shell.exe.vir
19.1.2010 22:02:34 Detected: Trojan.Win32.Scar.rli C:\Qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir
19.1.2010 22:02:40 Deleted: Trojan.Win32.Scar.rli C:\Qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir
19.1.2010 22:02:40 Detected: Trojan.Win32.Scar.rli C:\Qoobox\Quarantine\C\WINDOWS\system32\spoolvs.exe.vir
19.1.2010 22:02:45 Deleted: Trojan.Win32.Scar.rli C:\Qoobox\Quarantine\C\WINDOWS\system32\spoolvs.exe.vir
19.1.2010 22:12:18 Detected: Trojan.Win32.Qhost.nl C:\WINDOWS\system32\drivers\etc\hosts.20100118-164046.backup
19.1.2010 22:13:06 Deleted: Trojan.Win32.Qhost.nl C:\WINDOWS\system32\drivers\etc\hosts.20100118-164046.backup
19.1.2010 22:15:07 Task completed

Inak PC uz bezi v pohode a onedlho si pride majitel po pc takze uz nezostane cas na pripadne dalsie upravy, takze Vam dakujem za Vas cas, vrele diki!