VIRY.CZ

Dobry den chcel by som vas poprosit o kontrolu logu.
Mam Win Xp SP2. Mal som ESET Smart Security, no dostal som nejaky virus, kde
sa mi pustal dalsi proces svchost.exe ktory mi stale vytazoval procesor.
Odinstaloval som Eset a dal som si Avast!, ten mi odstranil nejake virusy, no pocitac ide velmi pomaly.
Velmi myslim asi tak ze ked ho nastartujem a kliknem aby sa mi pustil Firefox, tak mozem prist tak za 2 minuty...
Na skusku som vypol Avast! a vsetko ide o poznanie rychlejsie, no rad by som svoj PC "docistil".

Tiez by som sa rad spytal aky antivir + firewall by ste odporucili co tak nezatazuje pocitac.

Chcel som sem hned dat log z RSIT, no napisalo mi to takuto chybu
Autolt Error Line-1: Error:Variable used without being declared

Z ostatnych topicov co som si pozeral, tak radcovia presli na logy z MBAM alebo CF, takze tu su.
Dakujem pekne za rady.

LOG MBAM

Malwarebytes' Anti-Malware 1.44
Verzia databázy: 3755
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

18. 2. 2010 16:27:29
mbam-log-2010-02-18 (16-27-21).txt

Typ kontroly: Rýchla
Objektov kontrolovaných: 122914
Uplynutý cas: 9 minute(s), 7 second(s)

Infikovaných procesov pamäte: 0
Infikovaných modulov pamäte: 0
Infikovaných registracných klúcov: 2
Infikovaných registracných hodnôt: 0
Infikovaných registracných údajov položiek: 3
Infikovaných priecinkov: 0
Infikovaných súborov: 4

Infikovaných procesov pamäte:
(Žiadne škodlivé položky)

Infikovaných modulov pamäte:
(Žiadne škodlivé položky)

Infikovaných registracných klúcov:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Trojan.BHO) -> No action taken.

Infikovaných registracných hodnôt:
(Žiadne škodlivé položky)

Infikovaných registracných údajov položiek:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Infikovaných priecinkov:
(Žiadne škodlivé položky)

Infikovaných súborov:
C:\WINDOWS\system32\drivers\trvbtzk.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_1281.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Data aplikací\avdrn.dat (Malware.Trace) -> No action taken.
C:\Program Files\ICQToolbar\tbuE80\toolbaru.dll (Trojan.BHO) -> No action taken.

Edit: nejde mi spustit Combofix, pretoze mi hlasi ze mam spusteny Eset Smart security, pricom som ho uz odinstaloval.. zaujimave, asi stale niekde bezi a treba to odstranit. Zatial sa mi to nepodarilo.

Dakujem este raz

Dobré ráno.

Nejde hláška o vypnutí ESET SS přeskočit/ignorovat?

Nejde, je tam len tlacitko OK, inak by som uz skusal nieco.
V process manageri mi proces ESET-u "ekrn.exe" nejde vypnut.
Napise mi ze "Pristup byl odepren"

Edit: nainstaloval som si aj CCleaner, a tam dal vymazat cely obsah adresara Eset aj s registrami, ale neviem ci to robim zle, ale ked tam pridam ten adresar a dam potvrdit ze odobrat... tak stale je ten adresar pritomny na HDD, akoby sa nic nestalo..
nechapem

Tak zkuste spustit RSIT v režimu kompatibility s Windows XP.

Konecne sa mi podarilo spustit ComboFix.
Prikladam log. Stali sa vsak 2 veci. Zmizol mi avast z listy kde sazobrazuju spustene programy, vpravo dole pri hodinach
a nejde mi net. Nic ine som nerobil len som spustil ComboFix.
Ten RSIT som stahoval odtialto z viry.cz, od nejakeho radcu z podpisu, takze by to malo byt ok, no na zalozke "kompatibilita"
su len systemy Win 95,98, Me, NT a 2000.

Edit: Uz mi ide net.
Mozno sa pozastavite nad tym ze CF hlasi fw a antivir ESET SS.. ja som sa nad tym pozastavil tiez, ale uz je vymazany cely priecinok ESET-u, sluzby od neho nie su ziadne spustene a registre som vycistil manualne a este som ich dal aj skontrolovat a vsetko je v poriadku.. tak neviem kde to este moze bezat.. lebo pri spusteni scanu mi vyhlasil CF ze nech radsej vypnem ten ESET, dal som OK a test zbehol.. takze asi tolko. Net mi ide uz preto ze som si vsimol ze v nastaveniach LAN siete, bol v zozname kde su polozky ako TCP/IP protokoly atd, aj ESET.. tak som dal tlacitko "Odinstalovat" a internet uz ide.
Tot vsjo

CF log:

ComboFix 10-02-17.01 - Administrator . 02. 2010 15:31:04.1.2 - x86
Running from: c:\documents and settings\Administrator\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100219-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3766570927-97135596-3970524481-1000
c:\documents and settings\Administrator\Dokumenty\cc_20100219_011334.reg
c:\recycler\S-1-5-21-73586283-1417001333-839522115-1003

.
((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-18 15:06 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 15:06 . 2010-02-18 15:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 15:06 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 14:46 . 2010-02-18 14:46 -------- d-----w- C:\rsit
2010-02-17 21:45 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-17 21:45 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-17 21:45 . 2009-10-28 00:36 1152444 ----a-w- c:\windows\UDB.zip
2010-02-17 21:45 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2010-02-17 21:45 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-17 21:45 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-02-17 21:39 . 2010-02-05 08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-17 21:39 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-17 21:39 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-17 21:39 . 2010-02-05 08:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-17 21:38 . 2010-02-17 21:45 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-17 21:38 . 2010-02-18 14:57 -------- d-----w- c:\program files\Spyware Doctor
2010-02-17 14:52 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-17 14:52 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-17 14:52 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-17 14:52 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-02-17 14:52 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-17 14:52 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-17 14:52 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-17 14:52 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-17 14:51 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-17 10:09 . 2010-02-17 14:51 -------- d-----w- c:\program files\Alwil Software
2010-02-17 09:40 . 2009-12-30 10:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-02-17 09:40 . 2010-02-17 09:40 -------- d-----w- c:\program files\VS Revo Group
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-02-10 14:06 . 2010-02-10 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-10 14:04 . 2010-02-10 14:04 -------- d-----w- c:\program files\Business Logic Corporation
2010-02-10 13:41 . 2010-02-10 13:41 -------- d-----w- c:\program files\CleanUp!
2010-02-10 12:46 . 2010-02-10 12:46 -------- d-----w- c:\program files\ProcessExplorerNt
2010-02-10 12:26 . 2010-02-10 12:26 -------- d-----w- C:\Nová složka
2010-02-10 12:25 . 2008-10-16 13:09 43544 ----a-w- c:\windows\system32\wups2.dll
2010-02-09 15:24 . 2010-02-19 14:38 792064 ----a-w- c:\windows\system32\drivers\trvbtzk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 14:33 . 2004-08-18 12:00 79044 ----a-w- c:\windows\system32\perfc005.dat
2010-02-19 14:33 . 2004-08-18 12:00 431978 ----a-w- c:\windows\system32\perfh005.dat
2010-02-19 13:17 . 2010-02-19 13:17 -------- d-----w- c:\program files\Unlocker
2010-02-19 00:01 . 2010-02-19 00:01 -------- d-----w- c:\program files\CCleaner
2010-02-18 23:58 . 2008-05-19 16:16 -------- d-----w- c:\program files\DivFix 1.091
2010-02-17 15:13 . 2009-03-02 17:29 -------- d-----w- c:\program files\Total Video Converter
2010-02-10 13:08 . 2009-01-20 17:31 -------- d-----w- c:\program files\Cool MP3 Splitter
2010-02-10 12:30 . 2008-02-11 18:46 -------- d-----w- c:\program files\TuneUp Utilities 2007
2010-02-09 23:07 . 2009-11-05 15:17 -------- d-----w- c:\program files\LogMeIn
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 90112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-13 344064]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2003-12-27 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 18:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Nabídka Start^Programy^Po spuštění^Desktop Calendar Reminder.lnk]
path=c:\documents and settings\Administrator\Nabídka Start\Programy\Po spuštění\Desktop Calendar Reminder.lnk
backup=c:\windows\pss\Desktop Calendar Reminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Nabídka Start^Programy^Po spuštění^netuza32.exe]
path=c:\documents and settings\Administrator\Nabídka Start\Programy\Po spuštění\netuza32.exe
backup=c:\windows\pss\netuza32.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Nabídka Start^Programy^Po spuštění^Seagate 2GEWJLKR Product Registration.lnk]
path=c:\documents and settings\Administrator\Nabídka Start\Programy\Po spuštění\Seagate 2GEWJLKR Product Registration.lnk
backup=c:\windows\pss\Seagate 2GEWJLKR Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-03-06 12:20 910744 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 11:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-17 13:58 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-03-06 12:13 2615688 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AutoPowerOn"=c:\program files\AutoPowerOn\AutoPowerOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WIP Miranda IM 1.4\\miranda32.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 a347bus;a347bus;c:\windows\system32\DRIVERS\a347bus.sys [2004-04-30 160640]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [x]
R2 ShutdownPlus;ShutdownPlus;c:\program files\ShutdownPlus\sdpsrvc.exe [x]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;h:\programy\Lavalys.EVEREST.Ultimate.Edition.v4.00.976.Multilingual.Incl.Keygen-ViRiLiTY\kerneld.wnt [2007-04-04 20856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27064]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-12-09 365280]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 a347scsi;a347scsi;c:\windows\System32\Drivers\a347scsi.sys [2004-04-30 5248]
S0 d344bus;d344bus;c:\windows\system32\DRIVERS\d344bus.sys [2003-12-27 137216]
S0 d344prt;d344prt;c:\windows\System32\Drivers\d344prt.sys [2003-12-27 5248]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 aswSP;avast! Self Protection; [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-05-14 107256]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-08-11 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-08-11 47640]
S3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672]

--- Other Services/Drivers In Memory ---

*Deregistered* - trvbtzk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 13:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lase/index.php?expression=&node=search&words=on&NMBonly=on
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.aktualne.cz/?ms=ae
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {CE40C3F1-3DF5-4461-A521-810923235628} - hxxp://www.joj.sk/fileadmin/joj_player/JOJ_Explorer_Player.cab
FF - ProfilePath - c:\documents and settings\Administrator\Data aplikací\Mozilla\Firefox\Profiles\mv6zavuf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.azet.sk/
FF - plugin: c:\program files\TV JOJ Media Player\npplugin_netscape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-nodenable - c:\program files\eset\nodenable.exe
MSConfigStartUp-vmware-tray - c:\program files\VMware\VMware Workstation\vmware-tray.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 15:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x855B24A0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf788dfc3
\Driver\ACPI -> ACPI.sys @ 0xf77decb8
\Driver\atapi -> 0x855b24a0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EverestDriver]
"ImagePath"="\??\h:\programy\Lavalys.EVEREST.Ultimate.Edition.v4.00.976.Multilingual.Incl.Keygen-ViRiLiTY\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\trvbtzk]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|˙˙˙˙"•€|ţ»Ów*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(604)
c:\windows\system32\relog_ap.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2010-02-19 15:40:45
ComboFix-quarantined-files.txt 2010-02-19 14:40

Pre-Run: Volných bajtů: 32 287 739 904
Post-Run: Volných bajtů: 37 308 518 400

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 866463284BD8C170C3A6FB3BA78C72EF

Pokračujeme.

1) Skript do ComboFix-u

Otevřete si Poznámkový blok [Start → Spustit → notepad → Enter].

Do něj vkopírujte následující text:

Kód: Vybrat vše

KillAll::

Collect::
c:\documents and settings\Administrator\Nabídka Start\Programy\Po spuštění\netuza32.exe
c:\windows\pss\netuza32.exeStartup
c:\windows\system32\drivers\trvbtzk.sys

File::
c:\windows\pss\Seagate 2GEWJLKR Product Registration.lnkStartup
c:\documents and settings\Administrator\Nabídka Start\Programy\Po spuštění\Seagate 2GEWJLKR Product Registration.lnk

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Nabídka Start^Programy^Po spuštění^netuza32.exe]
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Nabídka Start^Programy^Po spuštění^Seagate 2GEWJLKR Product Registration.lnk]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\trvbtzk]

Driver::
trvbtzk

DDS::
uStart Page = hxxp://lase/index.php?expression=&node= ... NMBonly=on
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|˙˙˙˙"•€|ţ»Ów*]

Reboot::

Uložte tento soubor na Plochu pod jménem CFScript (koncovka .txt).
Přetáhněte tento soubor nad ComboFix a pusťte ho.
I tento soubor, i ComboFix musí být na Ploše!
ComboFix se spustí a vykoná příkazy ze skriptu.
Počítač bude pravděpodobně restartován.
Po restartu na Vás vyskočí okno s logem, který mi vkopírujete sem ve formě textu.

2) VirusTotal

Otestujte na VirusTotal soubory:

Kód: Vybrat vše

h:\programy\Lavalys.EVEREST.Ultimate.Edition.v4.00.976.Multilingual.Incl.Keygen-ViRiLiTY\kerneld.wnt

Jednoduše tam vkopírujete cesty, co jsem napsal do code.
Jestliže Vám to napíše, že soubor byl již testován, nechte ho otestovat znovu.
Poté jsem vložíte linky (odkazy) na jednotlivé testy.

Prepac, skorej som nemohol:
Edit: vcera sa vam nedalo dostat na stranku, tak to davam az teraz..

Po restarte PC mi vybehla hlaska z CF ze nech si stiahnem novu verziu, tak som dal ze OK. Hadam to nie je chyba.
CF log:

ComboFix 10-02-21.02 - Administrator . 02. 2010 0:06.2.2 - x86
Running from: c:\documents and settings\Administrator\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Plocha\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\documents and settings\Administrator\Nabídka Start\Programy\Po spuštění\Seagate 2GEWJLKR Product Registration.lnk"
"c:\windows\pss\Seagate 2GEWJLKR Product Registration.lnkStartup"

file zipped: c:\windows\system32\drivers\trvbtzk.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Dokumenty\cc_20100219_164403.reg
c:\windows\pss\Seagate 2GEWJLKR Product Registration.lnkStartup
c:\windows\system32\drivers\trvbtzk.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TRVBTZK
-------\Service_trvbtzk

((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-19 00:01 . 2010-02-19 00:01 -------- d-----w- c:\program files\CCleaner
2010-02-18 15:06 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 15:06 . 2010-02-18 15:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 15:06 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 14:46 . 2010-02-18 14:46 -------- d-----w- C:\rsit
2010-02-17 21:45 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-17 21:45 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-17 21:45 . 2009-10-28 00:36 1152444 ----a-w- c:\windows\UDB.zip
2010-02-17 21:45 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2010-02-17 21:45 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-17 21:45 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-02-17 21:39 . 2010-02-05 08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-17 21:39 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-17 21:39 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-17 21:39 . 2010-02-05 08:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-17 21:38 . 2010-02-17 21:45 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-17 21:38 . 2010-02-18 14:57 -------- d-----w- c:\program files\Spyware Doctor
2010-02-17 10:09 . 2010-02-17 14:51 -------- d-----w- c:\program files\Alwil Software
2010-02-17 09:40 . 2009-12-30 10:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-02-17 09:40 . 2010-02-17 09:40 -------- d-----w- c:\program files\VS Revo Group
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-02-10 14:06 . 2010-02-10 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-10 14:04 . 2010-02-10 14:04 -------- d-----w- c:\program files\Business Logic Corporation
2010-02-10 13:41 . 2010-02-10 13:41 -------- d-----w- c:\program files\CleanUp!
2010-02-10 12:46 . 2010-02-10 12:46 -------- d-----w- c:\program files\ProcessExplorerNt
2010-02-10 12:26 . 2010-02-10 12:26 -------- d-----w- C:\Nová složka
2010-02-10 12:25 . 2008-10-16 13:09 43544 ----a-w- c:\windows\system32\wups2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 23:06 . 2004-08-18 12:00 79044 ----a-w- c:\windows\system32\perfc005.dat
2010-02-21 23:06 . 2004-08-18 12:00 431978 ----a-w- c:\windows\system32\perfh005.dat
2010-02-18 23:58 . 2008-05-19 16:16 -------- d-----w- c:\program files\DivFix 1.091
2010-02-17 15:13 . 2009-03-02 17:29 -------- d-----w- c:\program files\Total Video Converter
2010-02-10 13:08 . 2009-01-20 17:31 -------- d-----w- c:\program files\Cool MP3 Splitter
2010-02-10 12:30 . 2008-02-11 18:46 -------- d-----w- c:\program files\TuneUp Utilities 2007
2010-02-09 23:07 . 2009-11-05 15:17 -------- d-----w- c:\program files\LogMeIn
.

------- Sigcheck -------

[7] 2004-08-18 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\atapi.sys
[-] 2004-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-02-19_14.38.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-18 12:00 . 2010-02-19 14:33 68156 c:\windows\system32\perfc009.dat
+ 2004-08-18 12:00 . 2010-02-21 23:06 68156 c:\windows\system32\perfc009.dat
+ 2010-02-09 15:23 . 2010-02-21 23:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-09 15:23 . 2010-02-19 14:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-09 15:23 . 2010-02-21 23:15 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-02-09 15:23 . 2010-02-19 14:11 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-02-09 15:23 . 2010-02-19 14:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-02-19 15:31 . 2010-02-21 23:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-18 12:00 . 2010-02-21 23:06 435260 c:\windows\system32\perfh009.dat
- 2004-08-18 12:00 . 2010-02-19 14:33 435260 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 90112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-13 344064]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2003-12-27 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 18:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Nabídka Start^Programy^Po spuštění^Desktop Calendar Reminder.lnk]
path=c:\documents and settings\Administrator\Nabídka Start\Programy\Po spuštění\Desktop Calendar Reminder.lnk
backup=c:\windows\pss\Desktop Calendar Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-03-06 12:20 910744 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 11:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-17 13:58 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-03-06 12:13 2615688 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WIP Miranda IM 1.4\\miranda32.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 ShutdownPlus;ShutdownPlus;c:\program files\ShutdownPlus\sdpsrvc.exe [x]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;h:\programy\Lavalys.EVEREST.Ultimate.Edition.v4.00.976.Multilingual.Incl.Keygen-ViRiLiTY\kerneld.wnt [2007-04-04 20856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27064]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-12-09 365280]
R4 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [x]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 a347bus;a347bus;c:\windows\system32\DRIVERS\a347bus.sys [2004-04-30 160640]
S0 a347scsi;a347scsi;c:\windows\System32\Drivers\a347scsi.sys [2004-04-30 5248]
S0 d344bus;d344bus;c:\windows\system32\DRIVERS\d344bus.sys [2003-12-27 137216]
S0 d344prt;d344prt;c:\windows\System32\Drivers\d344prt.sys [2003-12-27 5248]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-05-14 107256]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-08-11 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-08-11 47640]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 13:13]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.aktualne.cz/?ms=ae
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {CE40C3F1-3DF5-4461-A521-810923235628} - hxxp://www.joj.sk/fileadmin/joj_player/JOJ_Explorer_Player.cab
FF - ProfilePath - c:\documents and settings\Administrator\Data aplikací\Mozilla\Firefox\Profiles\mv6zavuf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.azet.sk/
FF - plugin: c:\program files\TV JOJ Media Player\npplugin_netscape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EverestDriver]
"ImagePath"="\??\h:\programy\Lavalys.EVEREST.Ultimate.Edition.v4.00.976.Multilingual.Incl.Keygen-ViRiLiTY\kerneld.wnt"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|˙˙˙˙"•€|ţ»Ów*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(956)
c:\windows\system32\relog_ap.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(1628)
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wdfmgr.exe
c:\windows\SOUNDMAN.EXE
c:\progra~1\Ahead\NEROTO~1\DRIVES~1.EXE
.
**************************************************************************
.
Completion time: 2010-02-22 00:19:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 23:19
ComboFix2.txt 2010-02-19 14:40

Pre-Run: Volných bajtů: 37 461 811 200
Post-Run: Volných bajtů: 37 340 770 304

- - End Of File - - C6396A256814347BDA7B163878F38FC9

VirusTotal vysledky.. neviem presne co z toho. Je tam len naspodu jeden link(odkaz)

Soubor kerneld.wnt přijatý 2010.02.21 22:52:01 (UTC)
Současný stav: Dokončeno
Výsledek: 1/39 (2.56%)

Antivirus Verze Poslední aktualizace Výsledek
a-squared 4.5.0.50 2010.02.21 -
AhnLab-V3 5.0.0.2 2010.02.20 -
AntiVir 8.2.1.170 2010.02.19 -
Antiy-AVL 2.0.3.7 2010.02.19 -
Authentium 5.2.0.5 2010.02.21 -
Avast 4.8.1351.0 2010.02.21 -
AVG 9.0.0.730 2010.02.21 -
BitDefender 7.2 2010.02.21 -
CAT-QuickHeal 10.00 2010.02.19 -
ClamAV 0.96.0.0-git 2010.02.21 -
Comodo 4016 2010.02.21 -
DrWeb 5.0.1.12222 2010.02.21 -
eSafe 7.0.17.0 2010.02.21 Win32.Agent.aj
eTrust-Vet 35.2.7315 2010.02.20 -
F-Prot 4.5.1.85 2010.02.21 -
F-Secure 9.0.15370.0 2010.02.19 -
Fortinet 4.0.14.0 2010.02.21 -
GData 19 2010.02.21 -
Ikarus T3.1.1.80.0 2010.02.21 -
Jiangmin 13.0.900 2010.02.21 -
K7AntiVirus 7.10.979 2010.02.20 -
Kaspersky 7.0.0.125 2010.02.17 -
McAfee 5899 2010.02.21 -
McAfee+Artemis 5899 2010.02.21 -
McAfee-GW-Edition 6.8.5 2010.02.19 -
Microsoft 1.5406 2010.02.21 -
NOD32 4885 2010.02.21 -
Norman 6.04.08 2010.02.21 -
nProtect 2009.1.8.0 2010.02.21 -
Panda 10.0.2.2 2010.02.21 -
PCTools 7.0.3.5 2010.02.21 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.21 -
Sunbelt 5691 2010.02.21 -
Symantec 20091.2.0.41 2010.02.21 -
TheHacker 6.5.1.6.202 2010.02.21 -
TrendMicro 9.120.0.1004 2010.02.21 -
ViRobot 2010.2.19.2194 2010.02.19 -
VirusBuster 5.0.27.0 2010.02.21 -

Rozšiřující informace
File size: 20856 bytes
MD5 : 01bae99f2ef5faff7927959db577d58a
SHA1 : 6c5d510f38d352d6c2601e20c32ecd39f637be2e
SHA256: 36a31105d0bf9970eb97b460bb1aea936704257b98251ef44da373f27bf476fb
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6005
timedatestamp.....: 0x4581D347 (Thu Dec 14 23:42:15 2006)
machinetype.......: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x26B2 0x2800 5.07 112e40fe781af6fda4ea40d3ad3289e2
.rdata 0x4000 0xC1 0x200 2.09 725e049361266039a385859639dd0317
.data 0x5000 0x420 0x200 0.16 0b2e7741e0c0fc65af1542e370d89f53
INIT 0x6000 0x2A0 0x400 3.96 22702f23e7f2917dc8182d9be89abb99
.reloc 0x7000 0x14C 0x200 3.71 8239d341abe4309dbf86622aae1b9fdd

( 1 imports )

> ntoskrnl.exe: MmUnmapIoSpace, MmMapIoSpace, PsGetVersion, IofCompleteRequest, KeWaitForSingleObject, IofCallDriver, IoBuildDeviceIoControlRequest, KeInitializeEvent, RtlFreeUnicodeString, ObfDereferenceObject, MmIsAddressValid, IoGetDeviceObjectPointer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, memcpy, IoDeleteDevice, IoDeleteSymbolicLink, RtlInitUnicodeString, IoCreateSymbolicLink, IoCreateDevice, memset, KeTickCount

( 0 exports )
TrID : File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ssdeep: 192:TDWdnD5uh12rvlfdNIG+l2fNO+pUKfL/CldolMzMjGwP7IMMcJ+ebMvWA7Zgjl14:ORD8ShKoO8UKfLCcgNc/ba36jA
sigcheck: publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: LAVALYS
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 11:42 PM 12/14/2006
verified.....: -
PEiD : -
CWSandbox: http://research.sunbelt-software.com/pa ... 9db577d58a
RDS : NSRL Reference Data Set
-

Pokračujeme. ↓

1) Zazálohujte si důležitá data

Máte možnou infekci na atapi, pro jistotu si zazálohujte důležitá a nenahraditelná data.

2) Skript do ComboFix-u

Otevřete si Poznámkový blok [Start → Spustit → notepad → Enter].

Do něj vkopírujte následující text:

Kód: Vybrat vše

KillAll::

FCopy::
c:\windows\ERDNT\cache\atapi.sys | c:\windows\system32\drivers\atapi.sys

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|˙˙˙˙"•€|ţ»Ów*]

File::
h:\programy\Lavalys.EVEREST.Ultimate.Edition.v4.00.976.Multilingual.Incl.Keygen-ViRiLiTY\kerneld.wnt

Reboot::

Uložte tento soubor na Plochu pod jménem CFScript (koncovka .txt).
Přetáhněte tento soubor nad ComboFix a pusťte ho.
I tento soubor, i ComboFix musí být na Ploše!
ComboFix se spustí a vykoná příkazy ze skriptu.
Počítač bude pravděpodobně restartován.
Po restartu na Vás vyskočí okno s logem, který mi vkopírujete sem ve formě textu.

Uz som myslel ze sa mi PC nerozbehne... to ATAPI vymazavat vyzera take osemetne.. 2 krat som musel restartovat PC manualne, elbo to 15 min. nic nerobilo... Z logu vyzera ze to prebehlo.

CFlog

ComboFix 10-02-21.02 - Administrator . 02. 2010 15:33:20.3.2 - x86
Running from: c:\documents and settings\Administrator\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Plocha\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"h:\programy\Lavalys.EVEREST.Ultimate.Edition.v4.00.976.Multilingual.Incl.Keygen-ViRiLiTY\kerneld.wnt"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\programy\Lavalys.EVEREST.Ultimate.Edition.v4.00.976.Multilingual.Incl.Keygen-ViRiLiTY\kerneld.wnt

.
--------------- FCopy ---------------

c:\windows\ERDNT\cache\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EverestDriver
-------\Service_EverestDriver

((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-22 13:02 . 2010-02-22 13:02 -------- d-----w- c:\program files\ESET
2010-02-22 12:38 . 2010-02-22 12:38 -------- d-----w- c:\program files\VideoLAN
2010-02-19 00:01 . 2010-02-19 00:01 -------- d-----w- c:\program files\CCleaner
2010-02-18 15:06 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 15:06 . 2010-02-18 15:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 15:06 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 14:46 . 2010-02-18 14:46 -------- d-----w- C:\rsit
2010-02-17 21:45 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-17 21:45 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-17 21:45 . 2009-10-28 00:36 1152444 ----a-w- c:\windows\UDB.zip
2010-02-17 21:45 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2010-02-17 21:45 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-17 21:45 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-02-17 21:39 . 2010-02-05 08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-17 21:39 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-17 21:39 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-17 21:39 . 2010-02-05 08:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-17 21:38 . 2010-02-17 21:45 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-17 21:38 . 2010-02-18 14:57 -------- d-----w- c:\program files\Spyware Doctor
2010-02-17 10:09 . 2010-02-17 14:51 -------- d-----w- c:\program files\Alwil Software
2010-02-17 09:40 . 2009-12-30 10:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-02-17 09:40 . 2010-02-17 09:40 -------- d-----w- c:\program files\VS Revo Group
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-02-10 14:13 . 2010-02-10 14:13 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-02-10 14:06 . 2010-02-10 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-10 14:04 . 2010-02-10 14:04 -------- d-----w- c:\program files\Business Logic Corporation
2010-02-10 13:41 . 2010-02-10 13:41 -------- d-----w- c:\program files\CleanUp!
2010-02-10 12:46 . 2010-02-10 12:46 -------- d-----w- c:\program files\ProcessExplorerNt
2010-02-10 12:26 . 2010-02-10 12:26 -------- d-----w- C:\Nová složka
2010-02-10 12:25 . 2009-08-06 18:24 44768 ----a-w- c:\windows\system32\wups2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 14:34 . 2004-08-18 12:00 79044 ----a-w- c:\windows\system32\perfc005.dat
2010-02-22 14:34 . 2004-08-18 12:00 431978 ----a-w- c:\windows\system32\perfh005.dat
2010-02-18 23:58 . 2008-05-19 16:16 -------- d-----w- c:\program files\DivFix 1.091
2010-02-17 15:13 . 2009-03-02 17:29 -------- d-----w- c:\program files\Total Video Converter
2010-02-10 13:08 . 2009-01-20 17:31 -------- d-----w- c:\program files\Cool MP3 Splitter
2010-02-10 12:30 . 2008-02-11 18:46 -------- d-----w- c:\program files\TuneUp Utilities 2007
2010-02-09 23:07 . 2009-11-05 15:17 -------- d-----w- c:\program files\LogMeIn
2009-12-17 08:00 . 2007-09-05 17:25 343552 ----a-w- c:\windows\system32\mspaint.exe
.

------- Sigcheck -------

[7] 2004-08-18 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\atapi.sys
[7] 2004-08-18 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-02-19_14.38.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-05 17:27 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2007-09-05 17:27 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2008-01-08 22:15 . 2009-05-26 11:40 18296 c:\windows\system32\spmsg.dll
+ 2010-02-22 13:09 . 2009-08-06 18:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-02-22 13:09 . 2009-08-06 18:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
- 2004-08-18 12:00 . 2010-02-19 14:33 68156 c:\windows\system32\perfc009.dat
+ 2004-08-18 12:00 . 2010-02-22 14:34 68156 c:\windows\system32\perfc009.dat
+ 2009-11-16 08:06 . 2009-11-16 08:06 96408 c:\windows\system32\drivers\epfwtdir.sys
+ 2007-09-05 17:27 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-18 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
- 2010-02-09 15:23 . 2010-02-19 14:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-09 15:23 . 2010-02-22 14:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-09 15:23 . 2010-02-19 14:11 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-02-09 15:23 . 2010-02-22 14:46 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-02-09 15:23 . 2010-02-19 14:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-02-19 15:31 . 2010-02-22 14:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-18 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2010-02-22 13:03 . 2010-02-22 13:03 10134 c:\windows\Installer\{60F53518-1D76-447F-8E2C-A696B00E18DC}\callmsi.exe
+ 2007-09-05 17:27 . 2009-08-06 18:23 209624 c:\windows\system32\wuweb.dll
+ 2007-09-05 17:27 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2007-09-05 17:27 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2010-02-22 13:09 . 2009-08-06 18:23 575704 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
- 2004-08-18 12:00 . 2010-02-19 14:33 435260 c:\windows\system32\perfh009.dat
+ 2004-08-18 12:00 . 2010-02-22 14:34 435260 c:\windows\system32\perfh009.dat
+ 2009-05-14 14:47 . 2009-11-16 08:03 108792 c:\windows\system32\drivers\ehdrv.sys
+ 2009-05-14 14:41 . 2009-11-16 07:56 116520 c:\windows\system32\drivers\eamon.sys
+ 2007-09-05 17:27 . 2009-08-06 18:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2007-09-05 17:27 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2007-09-05 17:25 . 2009-12-17 08:00 343552 c:\windows\system32\dllcache\mspaint.exe
- 2007-09-05 17:25 . 2004-08-18 12:00 343552 c:\windows\system32\dllcache\mspaint.exe
+ 2010-02-22 13:03 . 2010-02-22 13:03 101480 c:\windows\Installer\{60F53518-1D76-447F-8E2C-A696B00E18DC}\egui.exe
+ 2007-09-05 17:27 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2007-09-05 17:27 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-02-22 13:03 . 2010-02-22 13:03 1138688 c:\windows\Installer\61b39b.msi
- 2007-09-06 20:38 . 2010-02-16 22:38 2248192 c:\windows\Installer\12ba23.msi
+ 2007-09-06 20:38 . 2010-02-22 12:21 2248192 c:\windows\Installer\12ba23.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 90112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-13 344064]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2003-12-27 81920]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 18:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Nabídka Start^Programy^Po spuštění^Desktop Calendar Reminder.lnk]
path=c:\documents and settings\Administrator\Nabídka Start\Programy\Po spuštění\Desktop Calendar Reminder.lnk
backup=c:\windows\pss\Desktop Calendar Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-03-06 12:20 910744 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 11:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-17 13:58 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-03-06 12:13 2615688 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WIP Miranda IM 1.4\\miranda32.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 ShutdownPlus;ShutdownPlus;c:\program files\ShutdownPlus\sdpsrvc.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27064]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-12-09 365280]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 a347bus;a347bus;c:\windows\system32\DRIVERS\a347bus.sys [2004-04-30 160640]
S0 a347scsi;a347scsi;c:\windows\System32\Drivers\a347scsi.sys [2004-04-30 5248]
S0 d344bus;d344bus;c:\windows\system32\DRIVERS\d344bus.sys [2003-12-27 137216]
S0 d344prt;d344prt;c:\windows\System32\Drivers\d344prt.sys [2003-12-27 5248]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-11-16 96408]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-08-11 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-08-11 47640]
S3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 13:13]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.aktualne.cz/?ms=ae
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {CE40C3F1-3DF5-4461-A521-810923235628} - hxxp://www.joj.sk/fileadmin/joj_player/JOJ_Explorer_Player.cab
FF - ProfilePath - c:\documents and settings\Administrator\Data aplikací\Mozilla\Firefox\Profiles\mv6zavuf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.azet.sk/
FF - plugin: c:\program files\TV JOJ Media Player\npplugin_netscape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 15:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x8595E2D8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf78befc3
\Driver\ACPI -> ACPI.sys @ 0xf77e7cb8
\Driver\atapi -> 0x8595e2d8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: ULi PCI Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7637ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7644b21
SendHandler -> NDIS.sys @ 0xf762287b
Warning: possible MBR rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|˙˙˙˙"•€|ţ»Ów*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\relog_ap.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2312)
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wdfmgr.exe
c:\windows\SOUNDMAN.EXE
c:\progra~1\Ahead\NEROTO~1\DRIVES~1.EXE
.
**************************************************************************
.
Completion time: 2010-02-22 15:50:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-22 14:50
ComboFix2.txt 2010-02-21 23:19
ComboFix3.txt 2010-02-19 14:40

Pre-Run: Volných bajtů: 37 111 570 432
Post-Run: Volných bajtů: 37 079 138 304

- - End Of File - - 7C72312FBB41CD383CD746AE0236C9E9

0K, pokračujeme. Jinak atapi jsem nemazal, ale nahrazoval → mazání by mělo katastrofální dopad.

1) Odinstalace virtuálních mechanik

Odinstalujte všechny virtuální mechaniky - například Alcohol, DeamonTools atd.

2) Odinstalace SPTD

Přejděte na tento odkaz.
Zde si stáhněte verzi SPTD dle Vašeho operačního systému (XP/Vista/W7 - 32/64bit).
Stažený soubor dvojklikem spusťte.
Klikněte na prostřední tlačítko 'Uninstall'.
Restartujte PC.

3) MBR.exe

Stáhněte MBR.exe na Plochu.
Proklikejte se na Start → Spustit [Win+R] a zadejte či vkopírujte následující text:
Kód: Vybrat vše
```
"%userprofile%\plocha\mbr" -t
```
Nyní stiskněte 'Enter'.
Na Ploše by se měl vytvořit soubor MBR.log, jehož obsah mi sem vkopírujete ve formě textu.

4) GMER

Stáhněte GMER, rozbalte ho na Plochu a dvojklikem ho spusťte.
Několik sekund bude skenovat.
Až sken dokončí, klikněte na 'Save' - to vygeneruje první log, který mi vložíte ve formě textu sem.
Poté vytvořte druhý log, přičemž se budete řídit tímto návodem - tento log mi sem taktéž vložíte.

Taaakze:

1) Odinstalace virtuálních mechanik ........HOTOVO

2) Odinstalace SPTD ...... vid PRILOHA3

3) MBR.exe ......... HOTOVO

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x85728E20]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x85728e20
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

4) GMER ......... FAIL
Po spusteni GMER-u mi nieco prenbehlo, po par sekundach zamrzol, a hodilo mi to "standardnu" win hlasku o skonceni programu...
"V aplikaci gmer.exe došlo k problému a je třeba ji zavřít.... " bla bla..

Tak babo raď.....

Zkuste ho v Nouzovém režimu.

Zobrazi tu istu hlasku a zamrzne.

Další krok → GMER vynechte.

1) Stažení souborů

Stáhněte soubor atapi.rar
Odrarujte a soubor atapi.sys uložte přímo na disk C:
- Adresa souboru bude C:\atapi.sys

2) The Avenger

Stáhněte The Avenger na Plochu.
Dvojklikem program spusťte a klikněte na OK.
Otevře se Vám samotné okno programu. Následující skript v zeleném poli vkopírujte do okna 'Input Script Here'.
Kód: Vybrat vše
```
Files to Move:
C:\atapi.sys | c:\windows\system32\drivers\atapi.sys
```
Klikněte na 'Execute'. Následně potvrdíte spuštění skriptu a restart.
Po restartu Vám program otevře log v notepadu, ten mi sem vkopírujete ve formě textu.
- Pokud se neotevře Poznámkový blok s logem, najdete jej v C:\avenger.txt

Vyzera to celkom dobre...

AVENGER log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|c:\windows\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

VIRY.CZ

Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe

Re: Prosim o kontrolu logu, velmi pomaly pc, problem svchost.exe