Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

Combofix hlásí rootkit

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Odpovědět
Zpráva
Autor
nowas
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 05 úno 2006 02:54

Combofix hlásí rootkit

#1 Příspěvek od nowas »

Ahoj prosim o kontrolu logu Combofix hlásí rootkit
diky

ComboFix 10-01-26.06 - Irma 27.01.2010 15:34:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.959.176 [GMT 1:00]
Spuštěný z: c:\users\Irma\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-12-27 do 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-27 14:43 . 2010-01-27 14:45 -------- d-----w- c:\users\Irma\AppData\Local\temp
2010-01-27 14:43 . 2010-01-27 14:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-27 14:43 . 2010-01-27 14:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-27 11:15 . 2010-01-27 11:15 -------- d-----w- c:\program files\Kaspersky Lab
2010-01-27 11:12 . 2010-01-27 11:12 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-01-27 10:01 . 2010-01-27 10:01 -------- d-----w- c:\program files\CCleaner
2010-01-27 09:31 . 2010-01-27 11:08 -------- d-----w- c:\programdata\PC Tools
2010-01-27 08:35 . 2010-01-27 08:35 -------- d-----w- c:\users\Irma\AppData\Roaming\URSoft
2010-01-27 08:35 . 2010-01-27 08:35 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-01-12 22:43 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 22:43 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-09 10:28 . 2010-01-09 10:36 -------- d-----w- c:\users\Irma\AppData\Roaming\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 11:32 . 2007-04-28 15:51 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-01-27 08:32 . 2007-01-08 21:09 598600 ----a-w- c:\windows\system32\perfh005.dat
2010-01-27 08:32 . 2007-01-08 21:09 114808 ----a-w- c:\windows\system32\perfc005.dat
2010-01-14 10:12 . 2009-10-03 11:13 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 22:53 . 2007-04-13 09:46 -------- d-----w- c:\programdata\Microsoft Help
2010-01-13 22:52 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-02 06:38 . 2010-01-21 20:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 20:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 20:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-20 08:16 . 2009-12-20 08:16 515848 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-13 19:18 . 2009-12-13 19:18 -------- d-----w- c:\program files\MSXML 4.0
2009-12-09 22:58 . 2009-12-09 22:58 -------- d-----w- c:\program files\Software602
2009-12-04 13:04 . 2009-12-04 13:04 -------- d-----w- c:\program files\AVG
2009-12-04 12:51 . 2009-12-04 12:51 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-04 12:50 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-04 12:50 . 2009-12-04 12:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-03 05:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-12-03 05:16 . 2009-12-03 05:16 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-11-28 14:57 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-11-28 14:57 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-11-26 21:31 . 2007-10-23 07:00 99864 ----a-w- c:\users\Irma\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-09 12:31 . 2009-12-13 19:17 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-13 19:17 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-13 19:17 411648 ----a-w- c:\windows\system32\drivers\http.sys
2004-12-02 05:18 . 2007-04-13 10:17 222390 --sha-r- c:\windows\ConfigSetRoot\IO.SYS
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 4493312]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-04-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Remote Control.lnk - c:\program files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe [2007-7-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):76,ac,b4,1d,d9,73,ca,01

R3 3xHybrid;3xHybrid service;c:\windows\System32\drivers\3xHybrid.sys [20.4.2007 12:34 674048]
S2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\System32\drivers\wf2kvcap.sys [4.10.2004 10:34 75925]
S3 EZAIALOWSF;EZAIALOWSF;c:\users\Irma\AppData\Local\Temp\EZAIALOWSF.exe --> c:\users\Irma\AppData\Local\Temp\EZAIALOWSF.exe [?]
S3 FontCache;Mezipaměť písem Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [8.6.2008 9:20 21504]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\System32\drivers\Ph3xIB32.sys [2.11.2006 11:32 1083520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Obsah adresáře 'Naplánované úlohy'

2010-01-27 c:\windows\Tasks\User_Feed_Synchronization-{0023ABC7-74C2-496E-9CE7-01F885722655}.job
- c:\windows\system32\msfeedssync.exe [2010-01-21 04:56]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} - hxxps://www.mojedatovaschranka.cz/static/pages/ ... ctivex.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 15:44
Windows 6.0.6002 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85005AB8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82bbdd24
\Driver\ACPI -> acpi.sys @ 0x80616d68
\Driver\atapi -> 0x8588ca28
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Celkový čas: 2010-01-27 15:50:58 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-01-27 14:50
ComboFix2.txt 2010-01-27 09:12

Před spuštěním: Volných bajtů: 186 433 114 112
Po spuštění: Volných bajtů: 186 316 488 704

- - End Of File - - 15C537E97F974687FC4375ED81FFFFA6
Nahoru
nowas
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 05 úno 2006 02:54

Re: Combofix hlásí rootkit

#2 Příspěvek od nowas »

Ahoj,
sem to pak projel antivirem+rootkit a antispamem a myslel jsem ze to je vpoho po odstaneni haveti co to naslo ale pro jistotu jsem pak ho spustil jeste jednou combofix a ten samej problem.

ComboFix-quarantined-files.txt
2010-01-27 14:42:08 . 2010-01-27 14:42:08 3,765 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-01-27 14:06:05 . 2010-01-27 14:34:09 215 ----a-w- C:\Qoobox\Quarantine\catchme.log

ComboFix2.txt
ComboFix 10-01-26.02 - Irma 27.01.2010 9:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.959.173 [GMT 1:00]
Spuštěný z: c:\users\Irma\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2210734124-3313158550-2263523583-500
c:\$recycle.bin\S-1-5-21-2975896864-1140630541-4158382633-500
c:\$recycle.bin\S-1-5-21-3756814594-934791744-2934890308-500
c:\program files\Internet Saving Optimizer
c:\program files\Internet Saving Optimizer\3.4.0.4340\Data\config.md
c:\program files\Internet Saving Optimizer\3.4.0.4340\FF\components\NPFFAddOn.dll
c:\program files\Internet Saving Optimizer\3.4.0.4340\FF\components\NPFFAddOn.xpt
c:\program files\Internet Saving Optimizer\3.4.0.4340\FF\components\NPFFHelperComponent.js
c:\program files\Internet Saving Optimizer\3.4.0.4340\FF\chrome.manifest
c:\program files\Internet Saving Optimizer\3.4.0.4340\FF\chrome\content\NPAddOn.js
c:\program files\Internet Saving Optimizer\3.4.0.4340\FF\chrome\content\NPAddOn.xul
c:\program files\Internet Saving Optimizer\3.4.0.4340\FF\chrome\NPAddOn.jar
c:\program files\Internet Saving Optimizer\3.4.0.4340\FF\install.rdf
c:\program files\Internet Saving Optimizer\3.4.0.4340\NPCommon.dll
c:\program files\Internet Saving Optimizer\3.4.0.4340\unins000.dat
c:\program files\Internet Saving Optimizer\3.4.0.4340\unins000.exe
c:\program files\Media Access Startup
c:\program files\Media Access Startup\1.5.0.850\Data\config.md
c:\program files\Media Access Startup\1.5.0.850\FF\components\HPFFAddOn.dll
c:\program files\Media Access Startup\1.5.0.850\FF\components\HPFFAddOn.xpt
c:\program files\Media Access Startup\1.5.0.850\FF\components\HPFFHelperComponent.js
c:\program files\Media Access Startup\1.5.0.850\FF\chrome.manifest
c:\program files\Media Access Startup\1.5.0.850\FF\chrome\content\HPAddOn.js
c:\program files\Media Access Startup\1.5.0.850\FF\chrome\content\HPAddOn.xul
c:\program files\Media Access Startup\1.5.0.850\FF\chrome\HPAddOn.jar
c:\program files\Media Access Startup\1.5.0.850\FF\install.rdf
c:\program files\Media Access Startup\1.5.0.850\HPCommon.dll
c:\program files\Media Access Startup\1.5.0.850\hppx.exe
c:\program files\Media Access Startup\1.5.0.850\MAHelper.exe
c:\program files\Media Access Startup\1.5.0.850\unins000.dat
c:\program files\Media Access Startup\1.5.0.850\unins000.exe
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-12-27 do 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-27 08:35 . 2010-01-27 08:35 -------- d-----w- c:\users\Irma\AppData\Roaming\URSoft
2010-01-27 08:35 . 2010-01-27 08:35 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-01-12 22:43 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 22:43 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-09 10:28 . 2010-01-09 10:36 -------- d-----w- c:\users\Irma\AppData\Roaming\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 08:32 . 2007-01-08 21:09 598600 ----a-w- c:\windows\system32\perfh005.dat
2010-01-27 08:32 . 2007-01-08 21:09 114808 ----a-w- c:\windows\system32\perfc005.dat
2010-01-14 10:12 . 2009-10-03 11:13 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 22:53 . 2007-04-13 09:46 -------- d-----w- c:\programdata\Microsoft Help
2010-01-13 22:52 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-02 06:38 . 2010-01-21 20:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 20:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 20:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-20 08:16 . 2009-12-20 08:16 515848 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-13 19:18 . 2009-12-13 19:18 -------- d-----w- c:\program files\MSXML 4.0
2009-12-09 22:58 . 2009-12-09 22:58 -------- d-----w- c:\program files\Software602
2009-12-04 13:04 . 2009-12-04 13:04 -------- d-----w- c:\program files\AVG
2009-12-04 12:51 . 2009-12-04 12:51 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-04 12:50 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-04 12:50 . 2009-12-04 12:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-03 05:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-12-03 05:16 . 2009-12-03 05:16 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-11-28 14:57 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-11-28 14:57 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-11-26 21:31 . 2007-10-23 07:00 99864 ----a-w- c:\users\Irma\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-09 12:31 . 2009-12-13 19:17 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-13 19:17 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-13 19:17 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-29 09:17 . 2009-11-25 22:51 2048 ----a-w- c:\windows\system32\tzres.dll
2004-12-02 05:18 . 2007-04-13 10:17 222390 --sha-r- c:\windows\ConfigSetRoot\IO.SYS
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 4493312]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-04-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Remote Control.lnk - c:\program files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe [2007-7-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):76,ac,b4,1d,d9,73,ca,01

R3 3xHybrid;3xHybrid service;c:\windows\System32\drivers\3xHybrid.sys [20.4.2007 12:34 674048]
S2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\System32\drivers\wf2kvcap.sys [4.10.2004 10:34 75925]
S3 FontCache;Mezipaměť písem Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [8.6.2008 9:20 21504]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\System32\drivers\Ph3xIB32.sys [2.11.2006 11:32 1083520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Obsah adresáře 'Naplánované úlohy'

2010-01-27 c:\windows\Tasks\User_Feed_Synchronization-{0023ABC7-74C2-496E-9CE7-01F885722655}.job
- c:\windows\system32\msfeedssync.exe [2010-01-21 04:56]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} - hxxps://www.mojedatovaschranka.cz/static/pages/ ... ctivex.cab
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

BHO-{CDBFB47B-58A8-4111-BF95-06178DCE326D} - c:\program files\System Search Dispatcher\1.3.0.840\ssd.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-{16B6279B-9FF5-41fb-8BF9-404324F5DD1F}}_is1 - c:\program files\Media Access Startup\1.5.0.850\unins000.exe
AddRemove-{1FB52AB3-5987-45a2-85E0-F3EC30DDDC29}}_is1 - c:\program files\Internet Saving Optimizer\3.4.0.4340\unins000.exe



**************************************************************************
skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory:

**************************************************************************
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\ehome\ehsched.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehRecvr.exe
.
**************************************************************************
.
Celkový čas: 2010-01-27 10:12:59 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-01-27 09:12

Před spuštěním: Volných bajtů: 187 002 626 048
Po spuštění: Volných bajtů: 187 039 571 968

- - End Of File - - 344C9049D89832F8454590164B318DD1
Nahoru
nowas
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 05 úno 2006 02:54

Re: Combofix hlásí rootkit

#3 Příspěvek od nowas »

rychly sken z gmer

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-27 16:16:10
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Irma\AppData\Local\Temp\awldapob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAB418322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAB41814C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAB418280]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

druhy sken se pokusim dodat. kdyz jsem ho spustil tak mi pocitac zatuhl takze druhy pokus
Nahoru
nowas
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 05 úno 2006 02:54

Re: Combofix hlásí rootkit

#4 Příspěvek od nowas »

ma podruhy uz dobehl

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-27 16:47:16
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Irma\AppData\Local\Temp\awldapob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8C359322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8C35914C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8C359280]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
Device \Driver\USBSTOR \Device\00000060 8BC862C0
Device \Driver\USBSTOR \Device\00000061 8BC862C0

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\USBSTOR \Device\00000062 8BC862C0
Device \Driver\USBSTOR \Device\00000063 8BC862C0
Device \Driver\nvstor \Device\00000057 84980310
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8591D790
Device \Driver\atapi \Device\Ide\IdePort0 8591D790
Device \Driver\atapi \Device\Ide\IdePort1 8591D790
Device \Driver\nvstor \Device\RaidPort0 84980310

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\USBSTOR \Device\0000005f 8BC862C0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0xEF 0xA0 0x4F 0xF6 ...

---- Files - GMER 1.0.15 ----

File C:\Users\Irma\AppData\Local\temp\~DF61A8.tmp 0 bytes

---- EOF - GMER 1.0.15 ----
Nahoru
nowas
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 05 úno 2006 02:54

Re: Combofix hlásí rootkit

#5 Příspěvek od nowas »

log z mbr.txt
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK



log z cmd mbr
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84A83998]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8599fa28
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
Nahoru
nowas
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 05 úno 2006 02:54

Re: Combofix hlásí rootkit

#6 Příspěvek od nowas »

Emulator mechanik nemam.

log z OTL.txt
OTL logfile created on: 27.1.2010 17:26:30 - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Users\Irma\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

959,00 Mb Total Physical Memory | 326,00 Mb Available Physical Memory | 34,00% Memory free
3,00 Gb Paging File | 2,00 Gb Available in Paging File | 70,00% Paging File free
Paging file location(s): c:\pagefile.sys 2048 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,88 Gb Total Space | 173,30 Gb Free Space | 74,42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PCIRMA
Current User Name: Irma
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 7 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.01.27 17:23:18 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Users\Irma\Desktop\OTL.exe
PRC - [2010.01.19 12:57:44 | 02,743,104 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010.01.19 12:57:41 | 00,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010.01.02 07:40:20 | 00,638,216 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009.10.28 04:31:14 | 00,257,440 | R--- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil10d.exe
PRC - [2009.04.11 07:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.04.11 07:27:28 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe
PRC - [2009.01.26 15:31:10 | 01,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008.01.19 08:38:38 | 01,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008.01.19 08:33:40 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\WUDFHost.exe
PRC - [2008.01.19 08:33:04 | 00,318,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.exe
PRC - [2007.06.20 15:56:16 | 04,493,312 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007.03.20 20:56:52 | 00,077,824 | ---- | M] () -- C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe


========== Modules (SafeList) ==========

MOD - [2010.01.27 17:23:18 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Users\Irma\Desktop\OTL.exe
MOD - [2009.04.11 07:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010.01.19 12:57:41 | 00,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010.01.19 12:57:41 | 00,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010.01.19 12:57:41 | 00,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009.09.25 02:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009.02.18 19:38:43 | 00,129,880 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2009.01.26 15:31:10 | 01,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008.11.04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008.01.19 08:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006.11.02 13:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006.10.26 12:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006.07.05 14:02:03 | 00,358,008 | ---- | M] (Protection Technology (StarForce)) [Auto | Stopped] -- C:\Windows\System32\sfrem01.exe -- (sfrem01) SF FrontLine Drivers Auto Removal (v1)


========== Driver Services (SafeList) ==========

DRV - [2010.01.27 12:32:11 | 00,112,144 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\System32\drivers\kl1.sys -- (kl1)
DRV - [2010.01.19 14:13:58 | 00,162,640 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010.01.19 12:46:52 | 00,046,544 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010.01.19 12:43:40 | 00,023,248 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010.01.19 12:43:23 | 00,051,792 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2010.01.19 12:42:57 | 00,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2007.06.22 16:34:12 | 01,788,056 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007.04.20 12:34:54 | 00,674,048 | ---- | M] (Philips Semiconductors GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\3xHybrid.sys -- (3xHybrid)
DRV - [2007.04.12 16:07:00 | 07,476,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007.01.15 16:35:18 | 01,032,104 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007.01.05 20:59:42 | 00,035,920 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006.11.02 10:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006.11.02 10:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006.11.02 10:51:34 | 00,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006.11.02 10:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006.11.02 10:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006.11.02 10:51:25 | 00,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006.11.02 10:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006.11.02 10:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006.11.02 10:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006.11.02 10:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006.11.02 10:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006.11.02 10:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006.11.02 10:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006.11.02 10:50:19 | 00,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006.11.02 10:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006.11.02 10:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006.11.02 10:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006.11.02 10:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006.11.02 10:50:10 | 00,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006.11.02 10:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006.11.02 10:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006.11.02 10:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006.11.02 10:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006.11.02 10:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006.11.02 10:50:05 | 00,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006.11.02 10:50:05 | 00,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006.11.02 10:50:04 | 00,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006.11.02 10:50:03 | 00,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006.11.02 10:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006.11.02 10:49:56 | 00,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006.11.02 10:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006.11.02 10:49:30 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006.11.02 10:49:28 | 00,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006.11.02 10:49:20 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006.11.02 09:27:22 | 01,083,520 | ---- | M] (Philips Semiconductors GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Ph3xIB32.sys -- (Ph3xIB32)
DRV - [2006.11.02 09:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006.11.02 09:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006.11.02 09:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006.11.02 09:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006.11.02 09:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006.11.02 09:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006.11.02 08:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006.11.02 08:30:54 | 00,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2006.11.02 07:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2006.08.11 14:47:13 | 00,059,776 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sfsync04.sys -- (sfsync04) StarForce Protection Synchronization Driver (version 4.x)
DRV - [2006.07.05 13:39:29 | 00,059,256 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2006.06.14 15:56:56 | 00,013,680 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2004.10.04 10:34:56 | 00,075,925 | ---- | M] (Leadtek Research Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\wf2kvcap.sys -- (BT848)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2758611613-3482399258-3318276795-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
IE - HKU\S-1-5-21-2758611613-3482399258-3318276795-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2758611613-3482399258-3318276795-1000\S-1-5-21-2758611613-3482399258-3318276795-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{2224E955-00E9-4613-A844-CE69FCCAAE91}: C:\Program Files\Internet Saving Optimizer\3.4.0.4340\FF
FF - HKLM\software\mozilla\Firefox\Extensions\\{0BA0192D-94A5-45e3-B2B8-3EC5A1A0B5EC}: C:\Program Files\Media Access Startup\1.5.0.850\FF


O1 HOSTS File: ([2010.01.27 15:44:41 | 00,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (no name) - {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No CLSID value found.
O3 - HKU\S-1-5-21-2758611613-3482399258-3318276795-1000\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2758611613-3482399258-3318276795-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKU\S-1-5-21-2758611613-3482399258-3318276795-1000..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2758611613-3482399258-3318276795-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2758611613-3482399258-3318276795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2758611613-3482399258-3318276795-1000_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} https://www.mojedatovaschranka.cz/stati ... ctivex.cab (Active602XMLFiller Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/sh ... wflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.46.172.36 213.46.172.37
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img16.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img16.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009.11.28 17:50:16 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 7 Days ==========

[2010.01.27 17:23:13 | 00,548,864 | ---- | C] (OldTimer Tools) -- C:\Users\Irma\Desktop\OTL.exe
[2010.01.27 16:12:02 | 00,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010.01.27 16:12:02 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010.01.27 16:11:33 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Users\Irma\Desktop\spybotsd162.exe
[2010.01.27 16:00:30 | 00,162,640 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswSP.sys
[2010.01.27 16:00:30 | 00,019,024 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2010.01.27 16:00:29 | 00,023,248 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2010.01.27 16:00:28 | 00,046,544 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2010.01.27 16:00:25 | 00,051,792 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2010.01.27 15:59:30 | 00,152,672 | ---- | C] (ALWIL Software) -- C:\Windows\System32\aswBoot.exe
[2010.01.27 15:59:30 | 00,038,848 | ---- | C] (ALWIL Software) -- C:\Windows\System32\avastSS.scr
[2010.01.27 15:59:21 | 00,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010.01.27 15:59:21 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010.01.27 15:51:00 | 00,000,000 | ---D | C] -- C:\Users\Irma\AppData\Local\temp
[2010.01.27 15:44:45 | 00,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2010.01.27 15:43:22 | 00,000,000 | ---D | C] -- C:\Windows\temp
[2010.01.27 15:29:43 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010.01.27 15:05:47 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010.01.27 14:48:09 | 00,000,000 | ---D | C] -- C:\Users\Irma\Desktop\gmer
[2010.01.27 14:42:48 | 00,000,000 | ---D | C] -- C:\Users\Irma\Desktop\RootkitRevealer
[2010.01.27 12:15:47 | 00,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2010.01.27 12:12:33 | 00,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2010.01.27 11:30:00 | 00,716,320 | ---- | C] (Secunia) -- C:\Users\Irma\Desktop\PSISetup.exe
[2010.01.27 11:01:51 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010.01.27 10:31:30 | 00,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2010.01.27 10:30:57 | 00,000,000 | ---D | C] -- C:\Users\Irma\AppData\Roaming\WinRAR
[2010.01.27 10:30:45 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010.01.27 09:51:49 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010.01.27 09:51:49 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010.01.27 09:51:49 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010.01.27 09:51:44 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010.01.27 09:35:41 | 00,000,000 | ---D | C] -- C:\Users\Irma\AppData\Roaming\URSoft
[2010.01.27 09:35:39 | 00,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010.01.27 09:35:37 | 00,000,000 | ---D | C] -- C:\Program Files\Your Uninstaller 2010
[2010.01.21 21:43:48 | 00,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010.01.21 21:43:47 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010.01.21 21:43:47 | 01,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010.01.21 21:43:47 | 00,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010.01.21 21:43:47 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010.01.21 21:43:47 | 00,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010.01.21 21:43:47 | 00,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010.01.21 21:43:47 | 00,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010.01.21 21:43:47 | 00,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010.01.21 21:43:47 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010.01.21 21:43:47 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010.01.21 21:43:47 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010.01.21 21:43:47 | 00,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010.01.21 21:43:47 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe

========== Files - Modified Within 7 Days ==========

[2010.01.27 17:27:05 | 01,572,864 | -HS- | M] () -- C:\Users\Irma\NTUSER.DAT
[2010.01.27 17:23:18 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Users\Irma\Desktop\OTL.exe
[2010.01.27 17:09:22 | 00,077,312 | ---- | M] () -- C:\mbr.exe
[2010.01.27 17:07:36 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.01.27 17:07:35 | 00,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010.01.27 17:07:35 | 00,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010.01.27 17:07:27 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.01.27 17:07:24 | 10,060,34944 | -HS- | M] () -- C:\hiberfil.sys
[2010.01.27 17:06:46 | 00,524,288 | -HS- | M] () -- C:\Users\Irma\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010.01.27 17:06:46 | 00,065,536 | -HS- | M] () -- C:\Users\Irma\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010.01.27 17:06:42 | 01,630,217 | -H-- | M] () -- C:\Users\Irma\AppData\Local\IconCache.db
[2010.01.27 16:12:07 | 00,001,055 | ---- | M] () -- C:\Users\Irma\Desktop\Spybot - Search & Destroy.lnk
[2010.01.27 16:11:38 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Users\Irma\Desktop\spybotsd162.exe
[2010.01.27 16:00:30 | 00,001,840 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2010.01.27 16:00:25 | 00,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010.01.27 15:44:51 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010.01.27 15:44:41 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010.01.27 15:15:11 | 63,068,9225 | ---- | M] () -- C:\Windows\System32\ZPTPRY
[2010.01.27 15:06:42 | 03,838,287 | R--- | M] () -- C:\Users\Irma\Desktop\ComboFix.exe
[2010.01.27 14:55:27 | 00,781,909 | ---- | M] () -- C:\Users\Irma\Desktop\RSIT.exe
[2010.01.27 14:28:43 | 40,146,416 | ---- | M] () -- C:\Users\Irma\Desktop\setup_av_free_eng.exe
[2010.01.27 13:05:52 | 00,012,744 | ---- | M] () -- C:\Users\Irma\Desktop\cc_20100127_130539.reg
[2010.01.27 12:39:38 | 00,000,000 | ---- | M] () -- C:\Users\Irma\AppData\Roaming\chrtmp
[2010.01.27 12:32:11 | 00,112,144 | ---- | M] (Kaspersky Lab) -- C:\Windows\System32\drivers\kl1.sys
[2010.01.27 11:30:15 | 00,716,320 | ---- | M] (Secunia) -- C:\Users\Irma\Desktop\PSISetup.exe
[2010.01.27 11:01:52 | 00,001,670 | ---- | M] () -- C:\Users\Irma\Desktop\CCleaner.lnk
[2010.01.27 09:32:13 | 01,393,930 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010.01.27 09:32:13 | 00,598,600 | ---- | M] () -- C:\Windows\System32\perfh005.dat
[2010.01.27 09:32:13 | 00,586,980 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010.01.27 09:32:13 | 00,114,808 | ---- | M] () -- C:\Windows\System32\perfc005.dat
[2010.01.27 09:32:13 | 00,101,052 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010.01.27 09:23:22 | 00,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{0023ABC7-74C2-496E-9CE7-01F885722655}.job

========== Files Created - No Company Name ==========

[2010.01.27 17:09:11 | 00,077,312 | ---- | C] () -- C:\mbr.exe
[2010.01.27 16:12:07 | 00,001,055 | ---- | C] () -- C:\Users\Irma\Desktop\Spybot - Search & Destroy.lnk
[2010.01.27 16:00:30 | 00,001,840 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2010.01.27 14:55:19 | 00,781,909 | ---- | C] () -- C:\Users\Irma\Desktop\RSIT.exe
[2010.01.27 14:48:09 | 00,293,376 | ---- | C] () -- C:\Users\Irma\Desktop\gmer.exe
[2010.01.27 14:45:32 | 63,068,9225 | ---- | C] () -- C:\Windows\System32\ZPTPRY
[2010.01.27 14:28:25 | 40,146,416 | ---- | C] () -- C:\Users\Irma\Desktop\setup_av_free_eng.exe
[2010.01.27 13:05:48 | 00,012,744 | ---- | C] () -- C:\Users\Irma\Desktop\cc_20100127_130539.reg
[2010.01.27 12:39:38 | 00,000,000 | ---- | C] () -- C:\Users\Irma\AppData\Roaming\chrtmp
[2010.01.27 11:01:52 | 00,001,670 | ---- | C] () -- C:\Users\Irma\Desktop\CCleaner.lnk
[2010.01.27 09:51:49 | 00,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010.01.27 09:51:49 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010.01.27 09:51:49 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010.01.27 09:51:49 | 00,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010.01.27 09:51:49 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010.01.27 09:51:06 | 03,838,287 | R--- | C] () -- C:\Users\Irma\Desktop\ComboFix.exe
[2009.11.29 21:14:26 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2007.10.31 09:17:45 | 00,007,168 | ---- | C] () -- C:\Users\Irma\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007.10.24 09:48:57 | 00,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2007.10.24 09:45:52 | 00,000,026 | ---- | C] () -- C:\Windows\CDE DX4400DEFGIPS.ini
[2007.07.12 10:34:34 | 00,001,324 | ---- | C] () -- C:\Windows\TVP3XDrv.ini
[2007.07.12 10:34:19 | 00,003,072 | ---- | C] () -- C:\Windows\System32\34CoInstaller.dll
[2007.04.13 10:32:50 | 00,000,000 | ---- | C] () -- C:\Windows\sporic_new.ini
[2006.11.02 13:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 08:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2010.01.27 09:35:41 | 00,000,000 | ---D | M] -- C:\Users\Irma\AppData\Roaming\URSoft
[2010.01.27 17:06:52 | 00,032,572 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010.01.27 09:23:22 | 00,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{0023ABC7-74C2-496E-9CE7-01F885722655}.job

========== Purity Check ==========



========== Custom Scans ==========


< HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s >
"Sidebar" = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun -- [2009.04.11 07:28:03 | 01,233,920 | ---- | M] (Microsoft Corporation)
"WindowsWelcomeCenter" = rundll32.exe oobefldr.dll,ShowWelcomeCenter -- [2009.04.11 07:28:23 | 02,153,472 | ---- | M] (Microsoft Corporation)
"ehTray.exe" = C:\Windows\ehome\ehTray.exe -- [2008.01.19 08:33:09 | 00,125,952 | ---- | M] (Microsoft Corporation)
"SpybotSD TeaTimer" = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe -- [2009.01.26 15:31:16 | 02,144,088 | RHS- | M] (Safer Networking Limited)

< c:\windows\*.* /U >


< MD5 for: AGP440.SYS >
[2008.01.19 08:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008.01.19 08:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008.01.19 08:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008.01.19 08:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006.11.02 10:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\ERDNT\cache\AGP440.sys
[2006.11.02 10:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006.11.02 10:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009.04.11 07:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009.04.11 07:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009.04.11 07:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009.04.11 07:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008.01.19 08:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008.01.19 08:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006.11.02 10:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008.02.14 04:40:31 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008.02.14 04:40:31 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008.02.14 04:40:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006.11.02 10:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006.11.02 10:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006.11.02 10:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: EXPLORER.EXE >
[2008.10.29 07:20:29 | 02,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008.10.29 07:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008.10.30 04:59:17 | 02,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2007.11.17 10:16:20 | 02,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[2007.11.17 10:16:20 | 02,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[2009.04.11 07:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\ERDNT\cache\explorer.exe
[2009.04.11 07:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009.04.11 07:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008.10.28 03:15:02 | 02,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2006.11.02 10:45:07 | 02,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
[2008.01.19 08:33:10 | 02,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: HAL.DLL >
[2009.04.11 07:32:46 | 00,177,128 | ---- | M] (Microsoft Corporation) MD5=B8D52005181A15D7D1470CBF2AF214DD -- C:\Windows\System32\hal.dll

< MD5 for: IASTORV.SYS >
[2008.01.19 08:42:51 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008.01.19 08:42:51 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006.11.02 10:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006.11.02 10:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: LSASS.EXE >
[2009.06.15 13:51:56 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=203D86EBD6D8E4C8501B222421E81506 -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22152_none_a886901f7335e2fc\lsass.exe
[2009.09.10 15:44:14 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=2D3AC5E7AC01E905F3ABD2D745FE3A9B -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22223_none_a8a80213731ca5a7\lsass.exe
[2009.06.15 13:48:49 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=3978F3540329E16C0AC3BCF677E5669F -- C:\Windows\ERDNT\cache\lsass.exe
[2009.06.15 13:48:49 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=3978F3540329E16C0AC3BCF677E5669F -- C:\Windows\System32\lsass.exe
[2009.06.15 13:48:49 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=3978F3540329E16C0AC3BCF677E5669F -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18051_none_a7fbf30a5a1929db\lsass.exe
[2009.02.13 08:26:04 | 00,007,680 | ---- | M] (Microsoft Corporation) MD5=59DE082968FDD257FFF0D209B9A5B460 -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.16820_none_a44eb0105fb4d975\lsass.exe
[2006.11.02 10:45:21 | 00,007,680 | ---- | M] (Microsoft Corporation) MD5=6A0E382E74280E4CC0DF17FE2661D003 -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.16386_none_a413c8c65fe02762\lsass.exe
[2009.06.15 14:03:38 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=6F1F23D3599EAE17734451936B7F17C6 -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22450_none_a69e1da376115b2a\lsass.exe
[2009.06.15 13:57:59 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=A911ECAC81F94ADEAFBE8E3F7873EDB0 -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18272_none_a600dfae5d0228c9\lsass.exe
[2009.02.13 05:58:37 | 00,007,680 | ---- | M] (Microsoft Corporation) MD5=AFF8A58280863629CA4FFA9E0B259F1E -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21010_none_a4e2f4e978ca9090\lsass.exe
[2009.06.15 13:59:08 | 00,007,680 | ---- | M] (Microsoft Corporation) MD5=BA9A67672E025078C77967731BCFC560 -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21067_none_a4b3e75378eccda6\lsass.exe
[2009.06.15 14:10:12 | 00,007,680 | ---- | M] (Microsoft Corporation) MD5=C731B1FE449D4E9CEA358C9D55B69BE9 -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.16870_none_a418a0745fdd652a\lsass.exe
[2009.09.09 12:09:38 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=CB7E838C140B4087B2DA323F2D4523C5 -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22518_none_a6d1618975e9b345\lsass.exe
[2009.09.10 15:47:51 | 00,007,680 | ---- | M] (Microsoft Corporation) MD5=D09A5DA84B7C9CA9B02EBCD7FAE41C8D -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21125_none_a4dd285578ce285b\lsass.exe
[2008.01.19 08:33:14 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=DCF733788C7D088D814E5F80EB4B3E0F -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\lsass.exe
[2008.01.19 08:33:14 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=DCF733788C7D088D814E5F80EB4B3E0F -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18215_none_a644c0145ccecd28\lsass.exe
[2008.01.19 08:33:14 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=DCF733788C7D088D814E5F80EB4B3E0F -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18005_none_a83603ce59ed0382\lsass.exe
[2009.02.13 09:20:29 | 00,009,728 | ---- | M] (Microsoft Corporation) MD5=F4C62B07E5BF96F1FDCA9DB393ECED22 -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22376_none_a68e7da1761c2def\lsass.exe

< MD5 for: NDIS.SYS >
[2009.04.11 07:32:49 | 00,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\ERDNT\cache\ndis.sys
[2009.04.11 07:32:49 | 00,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\System32\drivers\ndis.sys
[2009.04.11 07:32:49 | 00,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6002.18005_none_a9b2a4d31930d864\ndis.sys
[2006.11.02 10:51:42 | 00,500,840 | ---- | M] (Microsoft Corporation) MD5=227C11E1E7CF6EF8AFB2A238D209760C -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6000.16386_none_a59069cb1f23fc44\ndis.sys
[2008.01.19 08:43:31 | 00,529,464 | ---- | M] (Microsoft Corporation) MD5=9BDC71790FA08F0A0B5F10462B1BD0B1 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_a7c72bc71c0f0d18\ndis.sys

< MD5 for: NETLOGON.DLL >
[2006.11.02 10:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2009.04.11 07:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\ERDNT\cache\netlogon.dll
[2009.04.11 07:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009.04.11 07:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008.01.19 08:35:36 | 00,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2007.01.05 20:59:42 | 00,035,920 | ---- | M] (NVIDIA Corporation) MD5=4A5FCAB82D9BF6AF8A023A66802FE9E9 -- C:\Windows\System32\drivers\nvstor.sys
[2007.01.05 20:59:42 | 00,035,920 | ---- | M] (NVIDIA Corporation) MD5=4A5FCAB82D9BF6AF8A023A66802FE9E9 -- C:\Windows\System32\DriverStore\FileRepository\nvstor.inf_f48b8337\nvstor.sys
[2006.11.02 10:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008.01.19 08:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008.01.19 08:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008.01.19 08:36:19 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006.11.02 10:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2009.04.11 07:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\ERDNT\cache\scecli.dll
[2009.04.11 07:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009.04.11 07:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< MD5 for: SMSS.EXE >
[2008.01.19 08:33:31 | 00,064,000 | ---- | M] (Microsoft Corporation) MD5=6701DDAF68BEDE6BBEEA9D514D73A35B -- C:\Windows\winsxs\x86_microsoft-windows-smss_31bf3856ad364e35_6.0.6001.18000_none_ac3aa7fd19319fba\smss.exe
[2009.04.11 07:28:04 | 00,064,000 | ---- | M] (Microsoft Corporation) MD5=98AF15A94CD6AC37248E72E5FE789B35 -- C:\Windows\System32\smss.exe
[2009.04.11 07:28:04 | 00,064,000 | ---- | M] (Microsoft Corporation) MD5=98AF15A94CD6AC37248E72E5FE789B35 -- C:\Windows\winsxs\x86_microsoft-windows-smss_31bf3856ad364e35_6.0.6002.18005_none_ae26210916536b06\smss.exe
[2006.11.02 10:45:45 | 00,062,976 | ---- | M] (Microsoft Corporation) MD5=CAA75757BB3695478C23CB0624342A61 -- C:\Windows\winsxs\x86_microsoft-windows-smss_31bf3856ad364e35_6.0.6000.16386_none_aa03e6011c468ee6\smss.exe

< MD5 for: SVCHOST.EXE >
[2006.11.02 10:45:47 | 00,022,016 | ---- | M] (Microsoft Corporation) MD5=10DA15933D582D2FEDCF705EFE394B09 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6000.16386_none_b38497a50862ad11\svchost.exe
[2008.01.19 08:33:32 | 00,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\ERDNT\cache\svchost.exe
[2008.01.19 08:33:32 | 00,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008.01.19 08:33:32 | 00,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe

< MD5 for: USERINIT.EXE >
[2008.01.19 08:33:33 | 00,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
[2008.01.19 08:33:33 | 00,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008.01.19 08:33:33 | 00,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
[2006.11.02 10:45:50 | 00,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009.04.11 07:28:13 | 00,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe
[2009.04.11 07:28:13 | 00,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009.04.11 07:28:13 | 00,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2006.11.02 10:45:57 | 00,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe
[2008.01.19 08:33:37 | 00,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< MD5 for: WS2_32.DLL >
[2008.01.19 08:37:09 | 00,179,200 | ---- | M] (Microsoft Corporation) MD5=B304D47D5744BA20FCB99FB8B2C07B0B -- C:\Windows\ERDNT\cache\ws2_32.dll
[2006.11.02 10:46:14 | 00,178,688 | ---- | M] (Microsoft Corporation) MD5=D99A071C1018BB3D4ABAAD4B62048AC2 -- C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.0.6000.16386_none_f080eec6d16af4f0\ws2_32.dll
[2008.01.19 08:37:09 | 00,179,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\ws2_32.dll
[2008.01.19 08:37:09 | 00,179,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.0.6001.18000_none_f2b7b0c2ce5605c4\ws2_32.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009.04.11 07:27:47 | 00,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009.04.11 07:28:23 | 00,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /v GinaDLL /c >

========== Alternate Data Streams ==========

@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:1CE11B51
< End of report >
Přílohy
Extras.zip
(5.43 KiB) Staženo 68 x
Nahoru
nowas
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 05 úno 2006 02:54

Re: Combofix hlásí rootkit

#7 Příspěvek od nowas »

Ten prvni log se smazal :-( muzu zkusit ho obnovit. Takze se to asi diky me blbosti nevyresi :-(
Nahoru
nowas
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 05 úno 2006 02:54

Re: Combofix hlásí rootkit

#8 Příspěvek od nowas »

dik za snahu
no teoreticky vlastne jo ale pri tom druhym se mi seklo pc driv nez zacal skenovat
Přílohy
Qoobox.zip
(12.04 KiB) Staženo 76 x
Nahoru
nowas
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 05 úno 2006 02:54

Re: Combofix hlásí rootkit

#9 Příspěvek od nowas »

log z CF
ComboFix 10-01-26.06 - Irma 27.01.2010 18:48:49.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.959.156 [GMT 1:00]
Spuštěný z: c:\users\Irma\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-12-27 do 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-27 17:58 . 2010-01-27 18:00 -------- d-----w- c:\users\Irma\AppData\Local\temp
2010-01-27 17:58 . 2010-01-27 17:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-27 17:58 . 2010-01-27 17:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-27 17:14 . 2010-01-27 17:44 -------- d-----w- c:\program files\R-Studio
2010-01-27 16:09 . 2010-01-27 16:09 77312 ----a-w- C:\mbr.exe
2010-01-27 15:12 . 2010-01-27 15:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-27 15:12 . 2010-01-27 15:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-27 15:00 . 2010-01-19 13:13 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-27 15:00 . 2010-01-19 11:42 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-27 15:00 . 2010-01-19 11:43 23248 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-27 15:00 . 2010-01-19 11:46 46544 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-27 15:00 . 2010-01-19 11:43 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-27 14:59 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-27 14:59 . 2010-01-19 11:57 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-27 14:59 . 2010-01-27 14:59 -------- d-----w- c:\programdata\Alwil Software
2010-01-27 14:59 . 2010-01-27 14:59 -------- d-----w- c:\program files\Alwil Software
2010-01-27 11:15 . 2010-01-27 11:15 -------- d-----w- c:\program files\Kaspersky Lab
2010-01-27 11:12 . 2010-01-27 11:12 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-01-27 10:01 . 2010-01-27 10:01 -------- d-----w- c:\program files\CCleaner
2010-01-27 09:31 . 2010-01-27 11:08 -------- d-----w- c:\programdata\PC Tools
2010-01-27 08:35 . 2010-01-27 08:35 -------- d-----w- c:\users\Irma\AppData\Roaming\URSoft
2010-01-27 08:35 . 2010-01-27 08:35 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-01-12 22:43 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 22:43 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-09 10:28 . 2010-01-09 10:36 -------- d-----w- c:\users\Irma\AppData\Roaming\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 11:32 . 2007-04-28 15:51 112144 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-01-27 08:32 . 2007-01-08 21:09 598600 ----a-w- c:\windows\system32\perfh005.dat
2010-01-27 08:32 . 2007-01-08 21:09 114808 ----a-w- c:\windows\system32\perfc005.dat
2010-01-14 10:12 . 2009-10-03 11:13 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 22:53 . 2007-04-13 09:46 -------- d-----w- c:\programdata\Microsoft Help
2010-01-13 22:52 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-02 06:38 . 2010-01-21 20:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 20:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 20:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-20 08:16 . 2009-12-20 08:16 515848 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-13 19:18 . 2009-12-13 19:18 -------- d-----w- c:\program files\MSXML 4.0
2009-12-09 22:58 . 2009-12-09 22:58 -------- d-----w- c:\program files\Software602
2009-12-04 13:04 . 2009-12-04 13:04 -------- d-----w- c:\program files\AVG
2009-12-04 12:51 . 2009-12-04 12:51 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-04 12:50 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-04 12:50 . 2009-12-04 12:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-03 05:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-12-03 05:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-12-03 05:16 . 2009-12-03 05:16 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-11-28 14:57 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-11-28 14:57 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-11-26 21:31 . 2007-10-23 07:00 99864 ----a-w- c:\users\Irma\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-09 12:31 . 2009-12-13 19:17 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-13 19:17 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-13 19:17 411648 ----a-w- c:\windows\system32\drivers\http.sys
2004-12-02 05:18 . 2007-04-13 10:17 222390 --sha-r- c:\windows\ConfigSetRoot\IO.SYS
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 4493312]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-04-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Remote Control.lnk - c:\program files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe [2007-7-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):76,ac,b4,1d,d9,73,ca,01

R1 aswSP;aswSP;c:\windows\System32\drivers\aswSP.sys [27.1.2010 16:00 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [27.1.2010 16:00 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [27.1.2010 16:00 51792]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [27.1.2010 16:12 1153368]
R3 3xHybrid;3xHybrid service;c:\windows\System32\drivers\3xHybrid.sys [20.4.2007 12:34 674048]
S2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\System32\drivers\wf2kvcap.sys [4.10.2004 10:34 75925]
S3 FontCache;Mezipaměť písem Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [8.6.2008 9:20 21504]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\System32\drivers\Ph3xIB32.sys [2.11.2006 11:32 1083520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Obsah adresáře 'Naplánované úlohy'

2010-01-27 c:\windows\Tasks\User_Feed_Synchronization-{0023ABC7-74C2-496E-9CE7-01F885722655}.job
- c:\windows\system32\msfeedssync.exe [2010-01-21 04:56]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} - hxxps://www.mojedatovaschranka.cz/static/pages/ ... ctivex.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 18:59
Windows 6.0.6002 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84F0A910]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82bbfd24
\Driver\ACPI -> acpi.sys @ 0x80613d68
\Driver\atapi -> 0x85941ae0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\program files\Alwil Software\Avast5\AvastUI.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Celkový čas: 2010-01-27 19:06:41 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-01-27 18:06
ComboFix2.txt 2010-01-27 14:50
ComboFix3.txt 2010-01-27 09:12

Před spuštěním: Volných bajtů: 185 911 377 920
Po spuštění: Volných bajtů: 185 790 013 440

- - End Of File - - 6A01455A2AE4BC3047AC48C2957AAE98

po vytvoreni logu jsem musel resetovat protoze pri pokusu neco spustit nahlasilo: Pokus pouzit neplatnou operaci na klic registru, ktery je oznacen pro odstraneni.
Nahoru
nowas
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 05 úno 2006 02:54

Re: Combofix hlásí rootkit

#10 Příspěvek od nowas »

jj prave ho delam. pokusim se jeste obnovit ten nejstarci log z CF. Zatim dik moc

tak RR jsem zkousel 2krat a pokazdy me to spadlo s chybou v nvstor.sys - tak jsem tu sluzbu vyuzivajici ten soubor zakazal. Bohuzel jsem uz nemel cas to zkontrolovat znovu a dneska se k tomu nedostanu. Pristi tyden to sem dam. Zatim dik
Nahoru
Odpovědět

Zpět na „Řešení problémů, logy“