VIRY.CZ

Zdravim,
ted jsem se setkal na jednom pc (OS WinXP SP2) s nasledujicim problemem:
PC vubec neslo najet, pri najizdeni z nouzoveho rezimu zkoncilo pri nacteni
c:\Windows\System32\Drivers\pjwdaim.sys
jelikoz me tento soubor nic nerikal, nabootoval jsem z cd a pres konzoli jsem dany soubor smazal.
Pote uz pc najelo ok.
Zkusil jsem o danem souboru neco najit na netu a take nic.
Jen by me zajimalo, copak to bylo za havet? Nevite nekdo?
Dik za info

Hezké poledne
Pravděpodobně to byl rootkit.
Kromě smazání souboru se podívejte i do registrů, zda tam po něm nezůstal klíč.

Můžete si zde nechat zkontrolovat log z Rsitu, případně udělat doplnkový sken gmerem, zda tam toho není víc, nebo nějaké pozůstatky.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Věra at 2010-02-26 15:34:39
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 164 GB (86%) free of 191 GB
Total RAM: 1022 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35:07, on 26.2.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Smart Security\egui.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Smart Security\ekrn.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Věra\Local Settings\Temporary Internet Files\Content.IE5\AZP192OV\RSIT[1].exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Věra.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ICQ] ~"C:\Program Files\ICQ7.0\ICQ.exe" silent loginmode=4
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {5067a26b-1337-4436-8afe-ee169c2da79f} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067a26b-1337-4436-8afe-ee169c2da79f} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77bf5300-1474-4ec7-9980-d32b190e9b07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Program Files\ICQ7.0\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Program Files\ICQ7.0\ICQ.exe
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.triline.cz
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylom.com/activex/zylomgamesplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93E3A136-3973-4909-90FB-98180DA96C9C}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Eset HTTP Server (ehttpsrv) - Unknown owner - C:\Program Files\Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\Smart Security\ekrn.exe
O23 - Service: Služba Google Update (gupdate1ca18eed470808a) (gupdate1ca18eed470808a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Automatické aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8248 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055FD26D-3A88-4e15-963D-DC8493744B1D}]
XTTBPos00 Class - C:\PROGRA~1\ICQTOO~1\toolbaru.dll [2006-12-25 701952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22bf413b-c6d2-4d91-82a9-a0f997ba588c}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-07-15 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2007-08-31 1122128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}]
EWPBrowseObject Class - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-06-09 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
SweetIM Toolbar Helper - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [2009-10-19 1345336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2006-06-09 552960]
{855F3B16-6D32-4fe6-8A56-BBB695989046} - ICQToolBar - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll [2010-01-03 1019128]

{EEE6C35B-6118-11DC-9C72-001320C79847} - SweetIM Toolbar for Internet Explorer - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [2009-10-19 1345336]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2006-07-12 29696]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-09-29 49152]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe [2006-05-16 40960]
"egui"=C:\Program Files\Smart Security\egui.exe [2007-11-14 1410304]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"Monitor"=C:\WINDOWS\PixArt\PAC207\Monitor.exe [2006-11-03 319488]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-10-05 282624]
"SweetIM"=C:\Program Files\SweetIM\Messenger\SweetIM.exe [2009-10-20 111928]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe [2006-05-16 57344]
"ICQ"=~C:\Program Files\ICQ7.0\ICQ.exe silent loginmode=4 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-05-16 153136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
C:\WINDOWS\system32\HDAShCut.exe [2004-10-27 61952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [2006-10-11 75304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2007-10-05 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2007-08-31 1460560]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-09-28 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toolbar_eula_launcher]
C:\install\google\eula\EULALauncher.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^věra^nabídka start^programy^po spuštění^rncsys32.exe]
C:\Documents and Settings\Věra\Nabídka Start\Programy\Po spuštění\rncsys32.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Věra^Nabídka Start^Programy^Po spuštění^siszyd32.exe]
C:\Documents and Settings\Věra\Nabídka Start\Programy\Po spuštění\siszyd32.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-11-22 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"system"=kdzao.exe []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\Hasbro Interactive\RollerCoaster Tycoon\rct.exe"="C:\Program Files\Hasbro Interactive\RollerCoaster Tycoon\rct.exe:*:Enabled:rct"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\ICQ7.0\ICQ.exe"="C:\Program Files\ICQ7.0\ICQ.exe:*:Enabled:ICQ7"
"C:\Program Files\ICQ7.0\aolload.exe"="C:\Program Files\ICQ7.0\aolload.exe:*:Enabled:aolload.exe"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\ICQ7.0\ICQ.exe"="C:\Program Files\ICQ7.0\ICQ.exe:*:Enabled:ICQ7"
"C:\Program Files\ICQ7.0\aolload.exe"="C:\Program Files\ICQ7.0\aolload.exe:*:Enabled:aolload.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3739a23-5867-11dc-be7c-806d6172696f}]
shell\AutoRun\command - D:\Setup.exe
shell\dxsetup\command - D:\directx\dxsetup.exe
shell\setup\command - D:\setup.exe


======List of files/folders created in the last 1 months======

2010-02-26 15:34:42 ----D---- C:\Program Files\trend micro
2010-02-26 15:34:39 ----D---- C:\rsit
2010-02-25 17:03:33 ----D---- C:\Program Files\D-Day
2010-02-13 18:16:03 ----D---- C:\Program Files\SweetIM
2010-02-13 18:16:03 ----D---- C:\Documents and Settings\All Users\Data aplikací\SweetIM
2010-02-02 17:31:46 ----D---- C:\Documents and Settings\Věra\Data aplikací\skypePM

======List of files/folders modified in the last 1 months======

2010-02-26 15:34:45 ----D---- C:\WINDOWS\Prefetch
2010-02-26 15:34:43 ----D---- C:\WINDOWS\temp
2010-02-26 15:34:42 ----RD---- C:\Program Files
2010-02-26 14:53:49 ----D---- C:\Documents and Settings\Věra\Data aplikací\ICQ
2010-02-26 13:13:14 ----A---- C:\WINDOWS\winamp.ini
2010-02-26 13:04:56 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-25 21:24:19 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-25 21:00:23 ----SHD---- C:\WINDOWS\Installer
2010-02-25 17:13:00 ----D---- C:\WINDOWS\system32\drivers
2010-02-24 11:41:17 ----A---- C:\WINDOWS\win.ini
2010-02-24 11:22:57 ----SD---- C:\Documents and Settings\All Users\Data aplikací\Microsoft
2010-02-22 19:59:13 ----RASH---- C:\boot.ini
2010-02-22 19:59:13 ----A---- C:\WINDOWS\system.ini
2010-02-22 19:45:59 ----A---- C:\WINDOWS\ntbtlog.txt
2010-02-22 19:32:19 ----D---- C:\WINDOWS
2010-02-18 19:50:03 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-02-18 19:49:29 ----D---- C:\WINDOWS\system32
2010-02-18 15:13:59 ----D---- C:\Program Files\ICQ7.0
2010-02-15 19:03:35 ----D---- C:\temp
2010-02-13 18:16:15 ----D---- C:\WINDOWS\WinSxS
2010-02-13 17:13:24 ----D---- C:\Documents and Settings\Věra\Data aplikací\Skype
2010-02-06 15:51:44 ----A---- C:\WINDOWS\NeroDigital.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS\system32\drivers\cdrbsdrv.sys [2005-05-10 32256]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-11-14 27656]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2007-11-14 53768]
R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2004-09-03 54368]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-11-14 33800]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2007-11-14 50696]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2005-10-05 141312]
R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2005-03-04 127872]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-11-22 2829824]
R3 epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2007-11-14 30728]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2005-08-11 393088]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S1 9ec11c71;9ec11c71; C:\WINDOWS\System32\drivers\9ec11c71.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\VRA~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Dekodér Closed Caption; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-10-27 145920]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 PAC207;PC Camer@; C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2006-11-20 506112]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;Dálnopisný kodek světového standardu; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-11-22 430080]
R2 bgsvcgen;B's Recorder GOLD Library General Service; C:\WINDOWS\system32\bgsvcgen.exe [2005-04-30 86016]
R2 ekrn;Eset Service; C:\Program Files\Smart Security\ekrn.exe [2007-11-14 455936]
R2 ICQ Service;ICQ Service; C:\Program Files\ICQ6Toolbar\ICQ Service.exe [2010-01-03 246520]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2005-08-08 167936]
S2 gupdate1ca18eed470808a;Služba Google Update (gupdate1ca18eed470808a); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-08-09 133104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 ehttpsrv;Eset HTTP Server; C:\Program Files\Smart Security\EHttpSrv.exe [2007-11-14 18176]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-16 271920]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

Vidím tam zbytky po virech a nefunkční aktualizace, pravděpodobně pozměněný klíč od toho rootkita, pokud nemáte nic proti combofixu, raději bych to zkontrolovala, zda tam něco nezůstalo.


Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe


- ComboFix je třeba spustit pod účtem s právy administrátora

- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary

- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano

- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna

- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah sem

ComboFix 10-03-04.05 - Věra 05.03.2010 18:36:49.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1022.640 [GMT 1:00]
Spuštěný z: c:\documents and settings\Věra\Plocha\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý


VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\1679560647.dat
c:\windows\system32\driVERs\wlufgkj.sys
c:\windows\wiaservim.log

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_wlufgkj
-------\Service_wlufgkj


((((((((((((((((((((((((( Soubory vytvořené od 2010-02-05 do 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-02-26 14:34 . 2010-02-26 14:35 -------- d-----w- c:\program files\trend micro
2010-02-26 14:34 . 2010-02-26 14:35 -------- d-----w- C:\rsit
2010-02-25 16:03 . 2010-02-25 16:11 -------- d-----w- c:\program files\D-Day
2010-02-13 17:16 . 2010-02-13 17:16 -------- d-----w- c:\program files\SweetIM

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 10:23 . 2010-01-23 16:36 304160 ----a-w- C:\PA207.DAT
2010-02-18 14:13 . 2010-01-23 16:03 -------- d-----w- c:\program files\ICQ7.0
2010-02-02 16:31 . 2010-02-02 16:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-25 16:41 . 2010-01-25 16:41 -------- d-----w- c:\program files\GoldWave
2010-01-24 07:46 . 2009-01-01 13:22 -------- d-----w- c:\program files\ICQ6Toolbar
2010-01-23 16:04 . 2007-08-29 06:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-17 17:04 . 2010-01-17 17:03 -------- d-----w- c:\program files\totalcmd
2010-01-11 10:11 . 2009-06-02 18:16 -------- d-----w- c:\program files\Mořské dobrodružství
2007-09-14 18:21 . 2007-09-14 18:20 297276 ----a-w- c:\program files\Uninst.isu
1999-07-15 22:10 . 2007-09-14 18:21 905216 ----a-w- c:\program files\revolt.exe
1999-07-15 21:10 . 2007-09-14 18:21 142680 ----a-w- c:\program files\readme.doc
1998-10-16 08:41 . 2007-09-14 18:21 322560 ------w- c:\program files\Mss32.dll
1998-10-06 11:36 . 2007-09-14 18:21 4640 ------w- c:\program files\mssb16.tsk
1998-10-06 11:36 . 2007-09-14 18:21 272384 ------w- c:\program files\mss16.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-01_17.52.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-23 16:32 . 2008-04-14 04:22 54272 c:\windows\system32\vfwwdm32.dll
- 1980-01-01 00:00 . 2009-05-29 12:33 53608 c:\windows\system32\perfc009.dat
+ 1980-01-01 00:00 . 2009-10-25 07:17 53608 c:\windows\system32\perfc009.dat
+ 1980-01-01 00:00 . 2009-10-25 07:17 63148 c:\windows\system32\perfc005.dat
- 1980-01-01 00:00 . 2009-05-29 12:33 63148 c:\windows\system32\perfc005.dat
+ 2007-09-12 14:52 . 2009-08-27 10:42 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2010-01-23 16:33 . 2008-04-13 19:46 19200 c:\windows\system32\drivers\WSTCODEC.SYS
+ 2010-01-23 16:34 . 2008-04-13 19:46 15232 c:\windows\system32\drivers\StreamIP.sys
+ 2010-01-23 16:33 . 2008-04-13 19:46 11136 c:\windows\system32\drivers\SLIP.sys
+ 2004-09-03 17:19 . 2004-09-03 17:19 54368 c:\windows\system32\drivers\prodrv06.sys
+ 2010-01-23 16:34 . 2008-04-13 19:46 10880 c:\windows\system32\drivers\NdisIP.sys
+ 2010-01-23 16:33 . 2008-04-13 19:46 85248 c:\windows\system32\drivers\NABTSFEC.sys
+ 2007-11-14 13:06 . 2007-11-14 13:06 53768 c:\windows\system32\drivers\epfwtdi.sys
+ 2007-11-14 13:06 . 2007-11-14 13:06 30728 c:\windows\system32\drivers\epfwndis.sys
+ 2007-11-14 13:06 . 2007-11-14 13:06 50696 c:\windows\system32\drivers\epfw.sys
+ 2007-11-14 13:04 . 2007-11-14 13:04 27656 c:\windows\system32\drivers\easdrv.sys
+ 2007-11-14 13:03 . 2007-11-14 13:03 33800 c:\windows\system32\drivers\eamon.sys
+ 2010-01-23 16:33 . 2008-04-13 19:46 17024 c:\windows\system32\drivers\CCDECODE.sys
+ 2010-01-23 16:33 . 2008-04-13 19:46 19200 c:\windows\system32\dllcache\wstcodec.sys
+ 2010-01-23 16:32 . 2008-04-14 04:22 54272 c:\windows\system32\dllcache\vfwwdm32.dll
+ 2010-01-23 16:34 . 2008-04-13 19:46 15232 c:\windows\system32\dllcache\streamip.sys
+ 2010-01-23 16:33 . 2008-04-13 19:46 11136 c:\windows\system32\dllcache\slip.sys
+ 2010-01-23 16:34 . 2008-04-13 19:46 10880 c:\windows\system32\dllcache\ndisip.sys
+ 2010-01-23 16:33 . 2008-04-13 19:46 85248 c:\windows\system32\dllcache\nabtsfec.sys
+ 2010-01-23 16:33 . 2008-04-13 19:46 17024 c:\windows\system32\dllcache\ccdecode.sys
+ 2009-07-01 17:54 . 2008-10-16 13:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-07-01 17:54 . 2008-04-14 03:22 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-07-01 17:54 . 2008-04-14 03:22 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-07-01 17:54 . 2008-04-14 03:22 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-07-01 17:54 . 2008-04-14 03:22 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-07-01 17:54 . 2008-04-14 03:21 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-07-01 17:54 . 2008-04-14 03:22 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-07-01 17:54 . 2008-04-14 02:29 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-07-01 17:54 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-07-01 17:54 . 2008-04-14 03:22 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 1980-01-01 00:00 . 2008-04-13 18:57 14336 c:\windows\system32\dllcache\asyncmac.sys
- 2007-08-29 07:01 . 2008-09-28 18:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-08-29 07:01 . 2010-02-18 18:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-08-29 07:01 . 2010-02-18 18:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-08-29 07:01 . 2008-09-28 18:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-08-29 07:01 . 2008-09-28 18:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-08-29 07:01 . 2010-02-18 18:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-02-25 20:00 . 2010-02-25 20:00 22528 c:\windows\Installer\cf8ef6.msi
+ 2009-01-10 16:28 . 2009-01-10 16:28 51712 c:\windows\Installer\1df336e.msi
+ 2010-02-13 17:16 . 2010-02-13 17:16 10134 c:\windows\Installer\{DF6F459C-8B89-4F88-B63F-A2E136BB6B79}\ARPPRODUCTICON.exe
+ 2009-08-09 12:10 . 2009-08-09 12:10 10134 c:\windows\Installer\{B7E0C767-2F7F-4A9C-82F9-DBA8FE435692}\ARPPRODUCTICON.exe
- 2009-05-07 14:10 . 2009-05-07 14:10 10134 c:\windows\Installer\{B7E0C767-2F7F-4A9C-82F9-DBA8FE435692}\ARPPRODUCTICON.exe
- 2009-05-07 14:10 . 2009-05-07 14:10 40960 c:\windows\Installer\{B7E0C767-2F7F-4A9C-82F9-DBA8FE435692}\AMCap.exe_B7E0C7672F7F4A9C82F9DBA8FE435692.exe
+ 2009-08-09 12:10 . 2009-08-09 12:10 40960 c:\windows\Installer\{B7E0C767-2F7F-4A9C-82F9-DBA8FE435692}\AMCap.exe_B7E0C7672F7F4A9C82F9DBA8FE435692.exe
+ 2009-07-01 17:59 . 2009-07-01 17:59 10134 c:\windows\Installer\{6842BFA3-05A9-4C61-A73B-5493B761CACC}\callmsi.exe
+ 2010-02-13 17:16 . 2010-02-13 17:16 10134 c:\windows\Installer\{31CF6C0E-51F0-41D2-B088-A6A143C4303C}\ARPPRODUCTICON.exe
+ 2003-12-01 15:20 . 2003-12-01 15:20 4832 c:\windows\system32\drivers\sfhlp01.sys
+ 2004-07-19 14:49 . 2004-07-19 14:49 7040 c:\windows\system32\drivers\prosync1.sys
+ 2010-01-23 16:34 . 2008-04-13 19:39 5504 c:\windows\system32\drivers\MSTEE.sys
+ 2010-01-23 16:34 . 2008-04-13 19:39 5504 c:\windows\system32\dllcache\mstee.sys
+ 2006-11-20 07:04 . 2006-11-20 07:04 6656 c:\windows\system32\CoInst.dll
+ 2007-11-07 00:19 . 2007-11-07 00:19 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
+ 2007-11-07 00:19 . 2007-11-07 00:19 568832 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-06 19:23 . 2007-11-06 19:23 224768 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2009-08-09 12:05 . 2005-04-27 14:36 245408 c:\windows\system32\unicows.dll
+ 1980-01-01 00:00 . 2009-10-25 07:17 383254 c:\windows\system32\perfh009.dat
- 1980-01-01 00:00 . 2009-05-29 12:33 383254 c:\windows\system32\perfh009.dat
- 1980-01-01 00:00 . 2009-05-29 12:33 382548 c:\windows\system32\perfh005.dat
+ 1980-01-01 00:00 . 2009-10-25 07:17 382548 c:\windows\system32\perfh005.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2004-09-03 17:23 . 2004-09-03 17:23 115680 c:\windows\system32\drivers\prohlp02.sys
+ 2006-11-20 06:48 . 2006-11-20 06:48 506112 c:\windows\system32\drivers\PFC027.SYS
+ 2009-07-01 17:54 . 2008-04-14 03:22 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-07-01 17:54 . 2009-03-03 00:14 826368 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-07-01 17:54 . 2008-04-14 03:22 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-07-01 17:54 . 2008-04-14 03:22 295936 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-07-01 17:54 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-07-01 17:54 . 2009-02-09 11:25 111104 c:\windows\system32\dllcache\cache\services.exe
+ 2009-07-01 17:54 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-07-01 17:54 . 2009-03-21 14:09 988160 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-07-01 17:54 . 2008-04-14 03:21 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2007-08-29 06:51 . 2008-04-13 16:39 142592 c:\windows\system32\dllcache\aec.sys
+ 2006-10-12 16:09 . 2006-10-12 16:09 413696 c:\windows\PixArt\Pac207\PASnap.exe
+ 2006-11-03 09:01 . 2006-11-03 09:01 319488 c:\windows\PixArt\Pac207\Monitor.exe
+ 2006-11-20 07:01 . 2006-11-20 07:01 163840 c:\windows\PixArt\Pac207\AmCap.exe
+ 2009-08-10 07:48 . 2009-08-10 07:48 792576 c:\windows\Installer\d3e7.msi
+ 2008-03-08 15:29 . 2008-03-08 15:29 892416 c:\windows\Installer\a5c99.msi
+ 2007-09-12 17:17 . 2007-09-12 17:17 431104 c:\windows\Installer\864deb.msi
+ 2009-01-11 18:05 . 2009-01-11 18:05 470528 c:\windows\Installer\421479.msi
+ 2007-09-12 15:37 . 2007-09-12 15:37 344064 c:\windows\Installer\421445.msp
+ 2007-09-19 16:34 . 2007-09-19 16:34 377344 c:\windows\Installer\41905.msi
+ 2008-11-13 16:35 . 2008-11-13 16:35 432640 c:\windows\Installer\3a1e8f.msi
+ 2009-07-01 17:59 . 2009-07-01 17:59 830464 c:\windows\Installer\1b68c.msi
+ 2008-01-23 15:51 . 2008-01-23 15:51 816640 c:\windows\Installer\189712.msp
+ 2008-07-28 14:04 . 2008-07-28 14:04 162304 c:\windows\Installer\1896fe.msp
+ 2008-11-22 11:54 . 2008-11-22 11:54 886272 c:\windows\Installer\181e92.msi
+ 2007-08-29 07:03 . 2007-08-29 07:03 265216 c:\windows\Installer\10619.msi
+ 2009-08-09 12:59 . 2009-08-09 12:59 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2009-07-01 17:59 . 2009-07-01 17:59 140544 c:\windows\Installer\{6842BFA3-05A9-4C61-A73B-5493B761CACC}\egui.exe
+ 1980-01-01 00:00 . 2006-03-02 14:00 1356800 c:\windows\system32\webfldrs.msi
+ 2009-07-01 17:54 . 2008-04-14 03:21 1571840 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-07-01 17:54 . 2009-02-09 11:26 2191232 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-07-01 17:54 . 2009-02-10 17:09 2068224 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-07-01 17:54 . 2008-04-14 03:22 1034240 c:\windows\system32\dllcache\cache\explorer.exe
+ 2008-09-28 17:38 . 2006-03-02 14:00 1356800 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2007-05-25 10:08 . 2007-05-25 10:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2007-08-29 09:28 . 2007-08-29 09:28 6379520 c:\windows\Installer\fd80c.msi
+ 2009-04-06 15:00 . 2009-04-06 15:00 5518336 c:\windows\Installer\f98dff.msp
+ 2007-08-29 06:55 . 2007-08-29 06:55 3446272 c:\windows\Installer\f5251.msi
+ 2009-05-01 13:49 . 2009-05-01 13:49 4328960 c:\windows\Installer\c10b25.msp
+ 2008-11-12 18:09 . 2008-11-12 18:09 5788160 c:\windows\Installer\bc265b.msi
+ 2009-06-09 14:59 . 2009-06-09 14:59 1263616 c:\windows\Installer\91f189.msi
+ 2009-03-05 13:40 . 2009-03-05 13:40 6819840 c:\windows\Installer\6eba72.msp
+ 2009-08-09 12:10 . 2009-08-09 12:10 5857792 c:\windows\Installer\637b8.msi
+ 2009-01-14 14:43 . 2009-01-14 14:43 5520384 c:\windows\Installer\5d686d.msp
+ 2007-10-05 17:13 . 2007-10-05 17:13 9803264 c:\windows\Installer\5ce30.msi
+ 2010-02-13 17:16 . 2010-02-13 17:16 1189376 c:\windows\Installer\4fccbe.msi
+ 2010-02-13 17:16 . 2010-02-13 17:16 4392448 c:\windows\Installer\4fccb9.msi
+ 2008-04-24 09:22 . 2008-04-24 09:22 4275712 c:\windows\Installer\4214b7.msp
+ 2005-10-26 13:59 . 2005-10-26 13:59 2883072 c:\windows\Installer\4214ae.msp
+ 2008-11-05 13:25 . 2008-11-05 13:25 5518336 c:\windows\Installer\421439.msp
+ 2008-12-12 10:09 . 2008-12-12 10:09 5517824 c:\windows\Installer\36a16d.msp
+ 2009-08-09 12:59 . 2009-08-09 12:59 1565696 c:\windows\Installer\2f1991.msi
+ 2007-09-01 09:09 . 2007-09-01 09:09 7476736 c:\windows\Installer\2f098.msi
+ 2007-09-01 09:01 . 2007-09-01 09:01 7569920 c:\windows\Installer\2f08e.msi
+ 2008-10-05 03:12 . 2008-10-05 03:12 4784128 c:\windows\Installer\1df3374.msp
+ 2008-06-11 14:05 . 2008-06-11 14:05 9994240 c:\windows\Installer\1897f6.msp
+ 2008-11-19 08:01 . 2008-11-19 08:01 3732480 c:\windows\Installer\1897d7.msp
+ 2008-10-22 21:43 . 2008-10-22 21:43 6820352 c:\windows\Installer\1897ce.msp
+ 2008-10-22 21:48 . 2008-10-22 21:48 7672832 c:\windows\Installer\1897b9.msp
+ 2008-04-01 13:33 . 2008-04-01 13:33 5479936 c:\windows\Installer\1897a4.msp
+ 2008-01-31 09:30 . 2008-01-31 09:30 9947648 c:\windows\Installer\18978c.msp
+ 2008-01-14 15:53 . 2008-01-14 15:53 5213696 c:\windows\Installer\189770.msp
+ 2008-10-25 08:15 . 2008-10-25 08:15 6227456 c:\windows\Installer\189750.msp
+ 2008-07-08 10:27 . 2008-07-08 10:27 8436736 c:\windows\Installer\189727.msp
+ 2009-02-11 14:02 . 2009-02-11 14:02 5519872 c:\windows\Installer\14c797.msp
+ 2009-01-15 02:35 . 2009-01-15 02:35 4830720 c:\windows\Installer\1370a4.msp
+ 2007-09-02 06:49 . 2007-09-02 06:49 1256448 c:\windows\Installer\11b3b.msi
+ 2007-08-29 07:00 . 2007-08-29 07:00 3122176 c:\windows\Installer\10348a.msi
+ 2007-08-29 06:56 . 2007-08-29 06:56 5864960 c:\windows\Installer\103480.msp
+ 2007-09-12 17:18 . 2007-09-12 17:18 15256576 c:\windows\Installer\864e02.msp
+ 2008-07-30 07:50 . 2008-07-30 07:50 12506112 c:\windows\Installer\421481.msp
+ 2008-06-04 12:29 . 2008-06-04 12:29 16905728 c:\windows\Installer\42145b.msp
+ 2007-09-12 15:37 . 2007-09-12 15:37 12836864 c:\windows\Installer\421452.msp
+ 2007-09-12 15:40 . 2007-09-12 15:40 12896768 c:\windows\Installer\421446.msp
+ 2007-12-06 18:37 . 2007-12-06 18:37 19175936 c:\windows\Installer\2bd2c.msi
+ 2008-01-14 14:24 . 2008-01-14 14:24 10721280 c:\windows\Installer\18973b.msp
+ 2007-08-29 06:56 . 2007-08-29 06:56 19210240 c:\windows\Installer\103479.msp
+ 2008-02-16 14:46 . 2009-08-09 12:08 10101760 c:\windows\Downloaded Installations\{05EC26A0-5B74-47F2-9D79-5D50503CA570}\PC CIF Camer@.msi
+ 2007-07-27 07:43 . 2007-07-27 07:43 109673984 c:\windows\Installer\421423.msp
.
-- Snímek resetován k současnému datu --
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-10-19 187192]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2009-10-19 15:15 1345336 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-07-12 29696]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]
"egui"="c:\program files\Smart Security\egui.exe" [2007-11-14 1410304]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-05 282624]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-10-20 111928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^věra^nabídka start^programy^po spuštění^rncsys32.exe]
path=c:\documents and settings\Věra\Nabídka Start\Programy\Po spuštění\rncsys32.exe
backup=c:\windows\pss\rncsys32.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Věra^Nabídka Start^Programy^Po spuštění^siszyd32.exe]
path=c:\documents and settings\Věra\Nabídka Start\Programy\Po spuštění\siszyd32.exe
backup=c:\windows\pss\siszyd32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-05-16 07:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 13:21 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 10:45 75304 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-10-05 17:13 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 14:46 1460560 ----a-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-09-28 11:16 185896 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Hasbro Interactive\\RollerCoaster Tycoon\\rct.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ7.0\\ICQ.exe"=
"c:\\Program Files\\ICQ7.0\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 ekrn;Eset Service;c:\program files\Smart Security\ekrn.exe [14.11.2007 14:05 455936]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [1.1.2009 14:22 246520]
S0 pwjdaim;pwjdaim; [x]
S1 9ec11c71;9ec11c71;c:\windows\system32\drivers\9ec11c71.sys [26.5.2009 14:17 0]
S2 gupdate1ca18eed470808a;Služba Google Update (gupdate1ca18eed470808a);c:\program files\Google\Update\GoogleUpdate.exe [9.8.2009 13:39 133104]
S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [20.11.2006 7:48 506112]
.
Obsah adresáře 'Naplánované úlohy'

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 12:38]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 12:38]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = iexplore
IE: {{88EB38EF-4D2C-436D-ABD3-56B232674062} - c:\program files\ICQ7.0\ICQ.exe
TCP: {93E3A136-3973-4909-90FB-98180DA96C9C} = 208.67.220.220,208.67.222.222
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game12.zylom.com/activex/zylomgamesplayer.cab
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKCU-Run-ICQ - ~c:\program files\ICQ7.0\ICQ.exe
MSConfigStartUp-Toolbar_eula_launcher - c:\install\google\eula\EULALauncher.exe
AddRemove-atoll - c:\atoll\Uninstall-Atoll.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 18:47
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2516)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
.
**************************************************************************
.
Celkový čas: 2010-03-05 18:55:50 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-05 17:55
ComboFix2.txt 2009-07-01 17:55

Před spuštěním: Volných bajtů: 171 983 813 120
Po spuštění: Volných bajtů: 172 828 486 656

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - D13DB26352B6927B240B6BCB51FE35BE

Otestujte na www.virustotal.com
c:\windows\system32\drivers\9ec11c71.sys
c:\program files\revolt.exe
c:\program files\Mss32.dll
c:\program files\mssb16.tsk
c:\program files\mss16.dll
c:\program files\Uninst.isu
c:\program files\revolt.exe
-Na virustotalu dáte procházet, a do spodního okénka nakopírujete přímo cestu k souboru a dáte odeslat
-z prohlížeče zkopírujete adresu ke stránce s výsledky