VIRY.CZ

nelze uložit do truhly,následně avast nabízí smazat nebo ignorovat,mazat nechci protože nevim co to udělá
Prosím o kontrolu logu

Jméno postiženého souboru C:\WINDOWS\System32\Drivers\vutmao.sys
Log z combofixu :

ComboFix 10-02-25.02 - Honza PC 25.02.2010 23:48:14.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3582.3227 [GMT 1:00]
Spuštěný z: c:\documents and settings\Honza PC\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100225-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patchw32.dll
c:\windows\srchasst\nls302en.lex
E:\install.exe

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-25 do 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-25 22:39 . 2010-02-25 22:52 792064 ----a-w- c:\windows\system32\drivers\vutmao.sys
2010-02-25 22:39 . 2008-04-13 21:09 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-02-25 22:39 . 2008-04-13 21:09 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-02-24 11:17 . 2010-02-24 11:17 -------- d-----w- c:\program files\Roger Wilco
2010-02-23 17:30 . 2010-02-23 17:30 -------- d-----w- c:\program files\ICQ6Toolbar
2010-02-23 17:28 . 2010-02-23 17:42 -------- d-----w- c:\program files\ICQ6.5
2010-02-22 22:27 . 2010-02-24 11:20 1065 ----a-w- c:\windows\eReg.dat
2010-02-22 21:58 . 2010-02-22 21:58 -------- d-----w- c:\program files\Common Files\EasyInfo
2010-02-22 17:44 . 2010-02-24 11:17 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-22 17:39 . 2010-02-22 22:12 -------- d-----w- c:\program files\EA GAMES
2010-02-18 21:01 . 2010-02-18 21:05 -------- d-----w- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 19:01 . 2009-12-18 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-22 22:10 . 2009-12-18 12:26 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-22 20:59 . 2009-12-18 13:33 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-22 20:41 . 2010-01-20 16:35 -------- d-----w- c:\program files\M-Audio
2010-02-22 20:01 . 2009-12-18 13:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-20 16:53 . 2010-01-20 16:53 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-01-20 16:51 . 2010-01-20 16:51 -------- d-----w- c:\program files\InterLok
2010-01-20 16:42 . 2010-01-20 16:35 -------- d-----w- c:\program files\Common Files\Digidesign
2010-01-20 16:42 . 2010-01-20 16:37 -------- d-----w- c:\program files\Digidesign
2010-01-19 18:29 . 2009-12-18 13:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-15 17:57 . 2010-01-15 17:57 -------- d-----w- c:\program files\Blender Foundation
2010-01-07 13:48 . 2004-08-18 12:00 83652 ----a-w- c:\windows\system32\perfc005.dat
2010-01-07 13:48 . 2004-08-18 12:00 440316 ----a-w- c:\windows\system32\perfh005.dat
2010-01-05 23:37 . 2010-01-05 23:37 -------- d-----w- c:\program files\Emote
2010-01-05 12:26 . 2010-01-05 12:26 -------- d-----w- c:\program files\Team17 Software Ltd
2010-01-04 17:58 . 2010-01-04 17:57 -------- d-----w- c:\program files\Euro Truck Simulator
2009-12-19 13:31 . 2009-12-19 13:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-19 12:25 . 2009-12-19 12:25 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-19 12:25 . 2009-12-19 12:25 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-19 12:25 . 2009-12-19 12:25 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-19 12:25 . 2009-12-19 12:25 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-19 12:16 . 2009-12-18 12:34 17488 ----a-w- c:\windows\gdrv.sys
2009-12-18 16:18 . 2009-12-18 16:18 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-18 13:45 . 2009-12-18 13:45 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-18 13:26 . 2009-12-18 13:26 0 ----a-w- c:\windows\nsreg.dat
2009-12-18 13:19 . 2009-12-18 13:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-18 12:51 . 2009-12-18 12:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-18 12:51 . 2009-12-18 12:18 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-12-18 12:51 . 2009-12-18 12:18 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-12-18 12:17 . 2009-12-18 12:17 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-11 18:00 . 2009-12-18 13:43 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-12-19 306088]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2007-02-10 241664]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-06-18 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Honza PC\Nabˇdka Start\Programy\Po spuçtŘnˇ\
winesm32.exe [2008-4-14 29184]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-19 113664]
Media Key.lnk - c:\program files\Media Key\MagicKey.exe [2009-12-20 159744]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Modern Warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\fpupdate.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.12.2009 14:45 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18.12.2009 13:58 114768]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [20.12.2009 1:39 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [20.12.2009 1:39 9291]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18.12.2009 13:58 20560]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [18.12.2009 13:26 219360]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [23.2.2010 18:30 222456]
R3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [20.1.2010 17:35 156552]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18.2.2010 22:01 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [18.12.2009 13:29 1684736]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - vutmao

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 13:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Honza PC\Data aplikací\Mozilla\Firefox\Profiles\e2vcwhwg.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKLM-Run-nwiz - nwiz.exe
AddRemove-Guitar Pro 5_is1 - c:\program files\Guitar Pro 5\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 23:51
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe 29184 bytes executable

sken byl úspešně dokončen
skryté soubory: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spvz.sys >>UNKNOWN [0x84172938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e74cb8
\Driver\atapi -> atapi.sys @ 0xb7cdab40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7bc5bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7bd2a21
SendHandler -> NDIS.sys @ 0xb7bb087b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vutmao]

.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(2944)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Media Key\OSD.EXE
c:\program files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Celkový čas: 2010-02-25 23:55:09 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-25 22:55

Před spuštěním: Volných bajtů: 151 633 207 296
Po spuštění: Volných bajtů: 152 867 303 424

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 31A4C0CA3163688DD36FCFAC53051458

Virus Total: soubor č. 1
Rozšiřující informace
File size: 142592 bytes
MD5...: 8bed39e3c35d6a489438b8141717a557
SHA1..: 7ccd9dda4ed4c776cd1a1be021a13dbc4b277c7e
SHA256: 1b5796e56b0927360ce0759641b1151828bc0a9e45620d2b2d880491f5ce33d0
ssdeep: 3072:/G09oYX0fLiARBfZ2GaQbYS8OMIKG00D6eOBRRhrGfkQqlIPWHCsyVCvk9A
qVu:f9NXuRbVYE7kyvWq
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2186a
timedatestamp.....: 0x4655ed3c (Thu May 24 19:53:32 2007)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x1722 0x1780 6.49 7ee2463242024daeb5b6de516c7611a0
.rdata 0x1b00 0x528 0x580 5.08 701033574d4b84815b4ff5f120aff4b3
.data 0x2080 0xe764 0xe780 7.38 aca6584a0ee27c68547161a37df3efa3
PAGE 0x10800 0xcf97 0xd000 6.59 a4171616989422194826fc54be5b35d9
PAGEDATA 0x1d800 0x3420 0x3480 7.38 ec72840a24316eaffafa2cefec3af7b4
PAGECONS 0x20c80 0xa7c 0xa80 3.30 6b9bf618e75b6b264e1c0584edaa73da
INIT 0x21700 0x860 0x880 5.48 166cdb92814dd6c47840958718d5fb0b
.rsrc 0x21f80 0x3c8 0x400 3.24 336ada92a9f25fc195aa599d4fbf9b4b
.reloc 0x22380 0x970 0x980 5.99 57151fe394329fb822093dffd6eed515

( 3 imports )
> ntoskrnl.exe: _wcslwr, wcslen, IoGetDeviceInterfaces, swprintf, PsTerminateSystemThread, KeWaitForSingleObject, wcsstr, KeSetTimer, ZwClose, ObReferenceObjectByHandle, PsCreateSystemThread, KeInitializeTimerEx, KeBugCheckEx, ObfReferenceObject, ObfDereferenceObject, _aulldiv, _allmul, InterlockedExchange, KeGetCurrentThread, KeSetTimerEx, DbgPrint, KeDelayExecutionThread, KeTickCount, KeQueryTimeIncrement, InterlockedCompareExchange, InterlockedIncrement, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlFreeUnicodeString, ExFreePoolWithTag, KeSaveFloatingPointState, KeRestoreFloatingPointState, ExAllocatePoolWithTag, KeSetPriorityThread, ExFreePool, RtlRaiseException
> HAL.dll: KeQueryPerformanceCounter
> ks.sys: KsPinGetAvailableByteCount, KsPinRegisterIrpCompletionCallback, KsFilterAttemptProcessing, KsFilterAcquireProcessingMutex, KsFilterReleaseProcessingMutex, KsPinGetConnectedPinDeviceObject, KsPinGetConnectedPinFileObject, KsGetObjectFromFileObject, KsPinGetParentFilter, KsGetPinFromIrp, _KsEdit, KsStreamPointerClone, KsProcessPinUpdate, KsPinGetConnectedPinInterface, KsStreamPointerGetIrp, KsStreamPointerDelete, KsReleaseControl, KsAcquireControl, KsInitializeDriver, KsFilterGetFirstChildPin, KsGetFilterFromIrp

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Acoustic Echo Canceller
original name: aec.sys
internal name: aec.sys
file version.: 5.1.2601.3142
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

virus total soubor č.2:
Rozšiřující informace
File size: 142592 bytes
MD5...: 8bed39e3c35d6a489438b8141717a557
SHA1..: 7ccd9dda4ed4c776cd1a1be021a13dbc4b277c7e
SHA256: 1b5796e56b0927360ce0759641b1151828bc0a9e45620d2b2d880491f5ce33d0
ssdeep: 3072:/G09oYX0fLiARBfZ2GaQbYS8OMIKG00D6eOBRRhrGfkQqlIPWHCsyVCvk9A
qVu:f9NXuRbVYE7kyvWq
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2186a
timedatestamp.....: 0x4655ed3c (Thu May 24 19:53:32 2007)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x1722 0x1780 6.49 7ee2463242024daeb5b6de516c7611a0
.rdata 0x1b00 0x528 0x580 5.08 701033574d4b84815b4ff5f120aff4b3
.data 0x2080 0xe764 0xe780 7.38 aca6584a0ee27c68547161a37df3efa3
PAGE 0x10800 0xcf97 0xd000 6.59 a4171616989422194826fc54be5b35d9
PAGEDATA 0x1d800 0x3420 0x3480 7.38 ec72840a24316eaffafa2cefec3af7b4
PAGECONS 0x20c80 0xa7c 0xa80 3.30 6b9bf618e75b6b264e1c0584edaa73da
INIT 0x21700 0x860 0x880 5.48 166cdb92814dd6c47840958718d5fb0b
.rsrc 0x21f80 0x3c8 0x400 3.24 336ada92a9f25fc195aa599d4fbf9b4b
.reloc 0x22380 0x970 0x980 5.99 57151fe394329fb822093dffd6eed515

( 3 imports )
> ntoskrnl.exe: _wcslwr, wcslen, IoGetDeviceInterfaces, swprintf, PsTerminateSystemThread, KeWaitForSingleObject, wcsstr, KeSetTimer, ZwClose, ObReferenceObjectByHandle, PsCreateSystemThread, KeInitializeTimerEx, KeBugCheckEx, ObfReferenceObject, ObfDereferenceObject, _aulldiv, _allmul, InterlockedExchange, KeGetCurrentThread, KeSetTimerEx, DbgPrint, KeDelayExecutionThread, KeTickCount, KeQueryTimeIncrement, InterlockedCompareExchange, InterlockedIncrement, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlFreeUnicodeString, ExFreePoolWithTag, KeSaveFloatingPointState, KeRestoreFloatingPointState, ExAllocatePoolWithTag, KeSetPriorityThread, ExFreePool, RtlRaiseException
> HAL.dll: KeQueryPerformanceCounter
> ks.sys: KsPinGetAvailableByteCount, KsPinRegisterIrpCompletionCallback, KsFilterAttemptProcessing, KsFilterAcquireProcessingMutex, KsFilterReleaseProcessingMutex, KsPinGetConnectedPinDeviceObject, KsPinGetConnectedPinFileObject, KsGetObjectFromFileObject, KsPinGetParentFilter, KsGetPinFromIrp, _KsEdit, KsStreamPointerClone, KsProcessPinUpdate, KsPinGetConnectedPinInterface, KsStreamPointerGetIrp, KsStreamPointerDelete, KsReleaseControl, KsAcquireControl, KsInitializeDriver, KsFilterGetFirstChildPin, KsGetFilterFromIrp

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Acoustic Echo Canceller
original name: aec.sys
internal name: aec.sys
file version.: 5.1.2601.3142
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Jottiho testy hlásily ,že nic nenalezly

Combofix : log po vložení scriptu:

ComboFix 10-02-25.02 - Honza PC 26.02.2010 16:36:29.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3582.3244 [GMT 1:00]
Spuštěný z: c:\documents and settings\Honza PC\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Honza PC\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100226-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
file zipped: c:\windows\system32\drivers\vutmao.sys
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
c:\windows\system32\drivers\vutmao.sys

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VUTMAO
-------\Service_vutmao

((((((((((((((((((((((((( Soubory vytvořené od 2010-01-26 do 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-25 22:39 . 2008-04-13 21:09 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-02-25 22:39 . 2008-04-13 21:09 142592 ------w- c:\windows\system32\drivers\aec.sys
2010-02-24 11:17 . 2010-02-24 11:17 -------- d-----w- c:\program files\Roger Wilco
2010-02-23 17:30 . 2010-02-23 17:30 -------- d-----w- c:\program files\ICQ6Toolbar
2010-02-23 17:28 . 2010-02-23 17:42 -------- d-----w- c:\program files\ICQ6.5
2010-02-22 22:27 . 2010-02-24 11:20 1065 ----a-w- c:\windows\eReg.dat
2010-02-22 21:58 . 2010-02-22 21:58 -------- d-----w- c:\program files\Common Files\EasyInfo
2010-02-22 17:44 . 2010-02-24 11:17 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-22 17:39 . 2010-02-22 22:12 -------- d-----w- c:\program files\EA GAMES
2010-02-18 21:01 . 2010-02-18 21:05 -------- d-----w- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 19:01 . 2009-12-18 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-22 22:10 . 2009-12-18 12:26 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-22 20:59 . 2009-12-18 13:33 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-22 20:41 . 2010-01-20 16:35 -------- d-----w- c:\program files\M-Audio
2010-02-22 20:01 . 2009-12-18 13:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-20 16:53 . 2010-01-20 16:53 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-01-20 16:51 . 2010-01-20 16:51 -------- d-----w- c:\program files\InterLok
2010-01-20 16:42 . 2010-01-20 16:35 -------- d-----w- c:\program files\Common Files\Digidesign
2010-01-20 16:42 . 2010-01-20 16:37 -------- d-----w- c:\program files\Digidesign
2010-01-19 18:29 . 2009-12-18 13:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-15 17:57 . 2010-01-15 17:57 -------- d-----w- c:\program files\Blender Foundation
2010-01-07 13:48 . 2004-08-18 12:00 83652 ----a-w- c:\windows\system32\perfc005.dat
2010-01-07 13:48 . 2004-08-18 12:00 440316 ----a-w- c:\windows\system32\perfh005.dat
2010-01-05 23:37 . 2010-01-05 23:37 -------- d-----w- c:\program files\Emote
2010-01-05 12:26 . 2010-01-05 12:26 -------- d-----w- c:\program files\Team17 Software Ltd
2010-01-04 17:58 . 2010-01-04 17:57 -------- d-----w- c:\program files\Euro Truck Simulator
2009-12-19 13:31 . 2009-12-19 13:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-19 12:25 . 2009-12-19 12:25 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-19 12:25 . 2009-12-19 12:25 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-19 12:25 . 2009-12-19 12:25 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-19 12:25 . 2009-12-19 12:25 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-19 12:16 . 2009-12-18 12:34 17488 ----a-w- c:\windows\gdrv.sys
2009-12-18 16:18 . 2009-12-18 16:18 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-18 13:45 . 2009-12-18 13:45 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-18 13:26 . 2009-12-18 13:26 0 ----a-w- c:\windows\nsreg.dat
2009-12-18 13:19 . 2009-12-18 13:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-18 12:51 . 2009-12-18 12:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-18 12:51 . 2009-12-18 12:18 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-12-18 12:51 . 2009-12-18 12:18 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-12-18 12:17 . 2009-12-18 12:17 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-11 18:00 . 2009-12-18 13:43 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-02-25_22.51.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-26 15:35 . 2010-02-26 15:35 16384 c:\windows\Temp\Perflib_Perfdata_630.dat
+ 2010-02-26 15:41 . 2010-02-26 15:41 16384 c:\windows\Temp\Perflib_Perfdata_5a8.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-12-19 306088]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2007-02-10 241664]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-06-18 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-19 113664]
Media Key.lnk - c:\program files\Media Key\MagicKey.exe [2009-12-20 159744]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Modern Warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\fpupdate.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.12.2009 14:45 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18.12.2009 13:58 114768]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [20.12.2009 1:39 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [20.12.2009 1:39 9291]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18.12.2009 13:58 20560]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [18.12.2009 13:26 219360]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [23.2.2010 18:30 222456]
R3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [20.1.2010 17:35 156552]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18.2.2010 22:01 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [18.12.2009 13:29 1684736]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 13:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Honza PC\Data aplikací\Mozilla\Firefox\Profiles\e2vcwhwg.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 16:42
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spyp.sys >>UNKNOWN [0x84172938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e74cb8
\Driver\atapi -> atapi.sys @ 0xb7cdab40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7bc5bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7bd2a21
SendHandler -> NDIS.sys @ 0xb7bb087b
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(2960)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Media Key\OSD.EXE
c:\program files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Celkový čas: 2010-02-26 16:45:16 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-26 15:45
ComboFix2.txt 2010-02-25 22:55

Před spuštěním: Volných bajtů: 152 870 211 584
Po spuštění: Volných bajtů: 152 744 120 320

- - End Of File - - 526FC44C61FF298B9F2858A63DFD86F9

Zdravim,

:arrow:Otestujte na VIRUSTOTALu a JOTTISCANu

c:\windows\system32\dllcache\aec.sys

c:\windows\system32\drivers\aec.sys

(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledky sem vlozte)

Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.

pokud jste tak jeste neucinil(a), presunte Combofix na plochu

otevrete si Poznamkovy blok

do nej zkopirujte skript z nasledujiciho okna:

Kód: Vybrat vše

KillAll::
Collect::
c:\windows\system32\drivers\vutmao.sys
c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe 
Rootkit::
c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe 
Driver::
vutmao

ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu

po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:

Obrázek

po aplikaci by na vas mel vyskocit dalsi log, vlozte jej sem

Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou funkcni konfiguraci

Virus Total: soubor č. 1
Rozšiřující informace
File size: 142592 bytes
MD5...: 8bed39e3c35d6a489438b8141717a557
SHA1..: 7ccd9dda4ed4c776cd1a1be021a13dbc4b277c7e
SHA256: 1b5796e56b0927360ce0759641b1151828bc0a9e45620d2b2d880491f5ce33d0
ssdeep: 3072:/G09oYX0fLiARBfZ2GaQbYS8OMIKG00D6eOBRRhrGfkQqlIPWHCsyVCvk9A
qVu:f9NXuRbVYE7kyvWq
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2186a
timedatestamp.....: 0x4655ed3c (Thu May 24 19:53:32 2007)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x1722 0x1780 6.49 7ee2463242024daeb5b6de516c7611a0
.rdata 0x1b00 0x528 0x580 5.08 701033574d4b84815b4ff5f120aff4b3
.data 0x2080 0xe764 0xe780 7.38 aca6584a0ee27c68547161a37df3efa3
PAGE 0x10800 0xcf97 0xd000 6.59 a4171616989422194826fc54be5b35d9
PAGEDATA 0x1d800 0x3420 0x3480 7.38 ec72840a24316eaffafa2cefec3af7b4
PAGECONS 0x20c80 0xa7c 0xa80 3.30 6b9bf618e75b6b264e1c0584edaa73da
INIT 0x21700 0x860 0x880 5.48 166cdb92814dd6c47840958718d5fb0b
.rsrc 0x21f80 0x3c8 0x400 3.24 336ada92a9f25fc195aa599d4fbf9b4b
.reloc 0x22380 0x970 0x980 5.99 57151fe394329fb822093dffd6eed515

( 3 imports )
> ntoskrnl.exe: _wcslwr, wcslen, IoGetDeviceInterfaces, swprintf, PsTerminateSystemThread, KeWaitForSingleObject, wcsstr, KeSetTimer, ZwClose, ObReferenceObjectByHandle, PsCreateSystemThread, KeInitializeTimerEx, KeBugCheckEx, ObfReferenceObject, ObfDereferenceObject, _aulldiv, _allmul, InterlockedExchange, KeGetCurrentThread, KeSetTimerEx, DbgPrint, KeDelayExecutionThread, KeTickCount, KeQueryTimeIncrement, InterlockedCompareExchange, InterlockedIncrement, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlFreeUnicodeString, ExFreePoolWithTag, KeSaveFloatingPointState, KeRestoreFloatingPointState, ExAllocatePoolWithTag, KeSetPriorityThread, ExFreePool, RtlRaiseException
> HAL.dll: KeQueryPerformanceCounter
> ks.sys: KsPinGetAvailableByteCount, KsPinRegisterIrpCompletionCallback, KsFilterAttemptProcessing, KsFilterAcquireProcessingMutex, KsFilterReleaseProcessingMutex, KsPinGetConnectedPinDeviceObject, KsPinGetConnectedPinFileObject, KsGetObjectFromFileObject, KsPinGetParentFilter, KsGetPinFromIrp, _KsEdit, KsStreamPointerClone, KsProcessPinUpdate, KsPinGetConnectedPinInterface, KsStreamPointerGetIrp, KsStreamPointerDelete, KsReleaseControl, KsAcquireControl, KsInitializeDriver, KsFilterGetFirstChildPin, KsGetFilterFromIrp

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Acoustic Echo Canceller
original name: aec.sys
internal name: aec.sys
file version.: 5.1.2601.3142
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

virus total soubor č.2:
Rozšiřující informace
File size: 142592 bytes
MD5...: 8bed39e3c35d6a489438b8141717a557
SHA1..: 7ccd9dda4ed4c776cd1a1be021a13dbc4b277c7e
SHA256: 1b5796e56b0927360ce0759641b1151828bc0a9e45620d2b2d880491f5ce33d0
ssdeep: 3072:/G09oYX0fLiARBfZ2GaQbYS8OMIKG00D6eOBRRhrGfkQqlIPWHCsyVCvk9A
qVu:f9NXuRbVYE7kyvWq
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2186a
timedatestamp.....: 0x4655ed3c (Thu May 24 19:53:32 2007)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x1722 0x1780 6.49 7ee2463242024daeb5b6de516c7611a0
.rdata 0x1b00 0x528 0x580 5.08 701033574d4b84815b4ff5f120aff4b3
.data 0x2080 0xe764 0xe780 7.38 aca6584a0ee27c68547161a37df3efa3
PAGE 0x10800 0xcf97 0xd000 6.59 a4171616989422194826fc54be5b35d9
PAGEDATA 0x1d800 0x3420 0x3480 7.38 ec72840a24316eaffafa2cefec3af7b4
PAGECONS 0x20c80 0xa7c 0xa80 3.30 6b9bf618e75b6b264e1c0584edaa73da
INIT 0x21700 0x860 0x880 5.48 166cdb92814dd6c47840958718d5fb0b
.rsrc 0x21f80 0x3c8 0x400 3.24 336ada92a9f25fc195aa599d4fbf9b4b
.reloc 0x22380 0x970 0x980 5.99 57151fe394329fb822093dffd6eed515

( 3 imports )
> ntoskrnl.exe: _wcslwr, wcslen, IoGetDeviceInterfaces, swprintf, PsTerminateSystemThread, KeWaitForSingleObject, wcsstr, KeSetTimer, ZwClose, ObReferenceObjectByHandle, PsCreateSystemThread, KeInitializeTimerEx, KeBugCheckEx, ObfReferenceObject, ObfDereferenceObject, _aulldiv, _allmul, InterlockedExchange, KeGetCurrentThread, KeSetTimerEx, DbgPrint, KeDelayExecutionThread, KeTickCount, KeQueryTimeIncrement, InterlockedCompareExchange, InterlockedIncrement, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlFreeUnicodeString, ExFreePoolWithTag, KeSaveFloatingPointState, KeRestoreFloatingPointState, ExAllocatePoolWithTag, KeSetPriorityThread, ExFreePool, RtlRaiseException
> HAL.dll: KeQueryPerformanceCounter
> ks.sys: KsPinGetAvailableByteCount, KsPinRegisterIrpCompletionCallback, KsFilterAttemptProcessing, KsFilterAcquireProcessingMutex, KsFilterReleaseProcessingMutex, KsPinGetConnectedPinDeviceObject, KsPinGetConnectedPinFileObject, KsGetObjectFromFileObject, KsPinGetParentFilter, KsGetPinFromIrp, _KsEdit, KsStreamPointerClone, KsProcessPinUpdate, KsPinGetConnectedPinInterface, KsStreamPointerGetIrp, KsStreamPointerDelete, KsReleaseControl, KsAcquireControl, KsInitializeDriver, KsFilterGetFirstChildPin, KsGetFilterFromIrp

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Acoustic Echo Canceller
original name: aec.sys
internal name: aec.sys
file version.: 5.1.2601.3142
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Jottiho testy hlásily ,že nic nenalezly

Combofix : log po vložení scriptu:

ComboFix 10-02-25.02 - Honza PC 26.02.2010 16:36:29.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3582.3244 [GMT 1:00]
Spuštěný z: c:\documents and settings\Honza PC\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Honza PC\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100226-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
file zipped: c:\windows\system32\drivers\vutmao.sys
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
c:\windows\system32\drivers\vutmao.sys

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VUTMAO
-------\Service_vutmao

((((((((((((((((((((((((( Soubory vytvořené od 2010-01-26 do 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-25 22:39 . 2008-04-13 21:09 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-02-25 22:39 . 2008-04-13 21:09 142592 ------w- c:\windows\system32\drivers\aec.sys
2010-02-24 11:17 . 2010-02-24 11:17 -------- d-----w- c:\program files\Roger Wilco
2010-02-23 17:30 . 2010-02-23 17:30 -------- d-----w- c:\program files\ICQ6Toolbar
2010-02-23 17:28 . 2010-02-23 17:42 -------- d-----w- c:\program files\ICQ6.5
2010-02-22 22:27 . 2010-02-24 11:20 1065 ----a-w- c:\windows\eReg.dat
2010-02-22 21:58 . 2010-02-22 21:58 -------- d-----w- c:\program files\Common Files\EasyInfo
2010-02-22 17:44 . 2010-02-24 11:17 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-22 17:39 . 2010-02-22 22:12 -------- d-----w- c:\program files\EA GAMES
2010-02-18 21:01 . 2010-02-18 21:05 -------- d-----w- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 19:01 . 2009-12-18 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-22 22:10 . 2009-12-18 12:26 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-22 20:59 . 2009-12-18 13:33 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-22 20:41 . 2010-01-20 16:35 -------- d-----w- c:\program files\M-Audio
2010-02-22 20:01 . 2009-12-18 13:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-20 16:53 . 2010-01-20 16:53 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-01-20 16:51 . 2010-01-20 16:51 -------- d-----w- c:\program files\InterLok
2010-01-20 16:42 . 2010-01-20 16:35 -------- d-----w- c:\program files\Common Files\Digidesign
2010-01-20 16:42 . 2010-01-20 16:37 -------- d-----w- c:\program files\Digidesign
2010-01-19 18:29 . 2009-12-18 13:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-15 17:57 . 2010-01-15 17:57 -------- d-----w- c:\program files\Blender Foundation
2010-01-07 13:48 . 2004-08-18 12:00 83652 ----a-w- c:\windows\system32\perfc005.dat
2010-01-07 13:48 . 2004-08-18 12:00 440316 ----a-w- c:\windows\system32\perfh005.dat
2010-01-05 23:37 . 2010-01-05 23:37 -------- d-----w- c:\program files\Emote
2010-01-05 12:26 . 2010-01-05 12:26 -------- d-----w- c:\program files\Team17 Software Ltd
2010-01-04 17:58 . 2010-01-04 17:57 -------- d-----w- c:\program files\Euro Truck Simulator
2009-12-19 13:31 . 2009-12-19 13:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-19 12:25 . 2009-12-19 12:25 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-19 12:25 . 2009-12-19 12:25 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-19 12:25 . 2009-12-19 12:25 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-19 12:25 . 2009-12-19 12:25 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-19 12:16 . 2009-12-18 12:34 17488 ----a-w- c:\windows\gdrv.sys
2009-12-18 16:18 . 2009-12-18 16:18 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-18 13:45 . 2009-12-18 13:45 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-18 13:26 . 2009-12-18 13:26 0 ----a-w- c:\windows\nsreg.dat
2009-12-18 13:19 . 2009-12-18 13:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-18 12:51 . 2009-12-18 12:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-18 12:51 . 2009-12-18 12:18 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-12-18 12:51 . 2009-12-18 12:18 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-12-18 12:17 . 2009-12-18 12:17 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-11 18:00 . 2009-12-18 13:43 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-02-25_22.51.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-26 15:35 . 2010-02-26 15:35 16384 c:\windows\Temp\Perflib_Perfdata_630.dat
+ 2010-02-26 15:41 . 2010-02-26 15:41 16384 c:\windows\Temp\Perflib_Perfdata_5a8.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-12-19 306088]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2007-02-10 241664]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-06-18 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-19 113664]
Media Key.lnk - c:\program files\Media Key\MagicKey.exe [2009-12-20 159744]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Modern Warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\fpupdate.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.12.2009 14:45 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18.12.2009 13:58 114768]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [20.12.2009 1:39 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [20.12.2009 1:39 9291]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18.12.2009 13:58 20560]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [18.12.2009 13:26 219360]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [23.2.2010 18:30 222456]
R3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [20.1.2010 17:35 156552]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18.2.2010 22:01 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [18.12.2009 13:29 1684736]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 13:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Honza PC\Data aplikací\Mozilla\Firefox\Profiles\e2vcwhwg.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 16:42
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spyp.sys >>UNKNOWN [0x84172938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e74cb8
\Driver\atapi -> atapi.sys @ 0xb7cdab40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7bc5bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7bd2a21
SendHandler -> NDIS.sys @ 0xb7bb087b
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(2960)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Media Key\OSD.EXE
c:\program files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Celkový čas: 2010-02-26 16:45:16 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-26 15:45
ComboFix2.txt 2010-02-25 22:55

Před spuštěním: Volných bajtů: 152 870 211 584
Po spuštění: Volných bajtů: 152 744 120 320

- - End Of File - - 526FC44C61FF298B9F2858A63DFD86F9

Ok.

Jak se chova pc nyni?

pc se chová zatím normálně, avast při skenování hlásí rootkit,nechápu....

Kde presne ho Avast hlasi?

Zde hlásí avast win32: Trojan-gen (po odstranění zůstává)
E:\obrazy her\Crysis\DVD2_Crysis\DVD2_Crysis\Image\rzr-crys.iso\RAZOR191\RZR-CRYS.EXE

rootkit mi při poslední prohlídce nehlásil, ale! na konci mi otevřel okno kde hlásí 32 souborů, které nelze otestovat!!
Nejdou mi klasickou cestou zkopírovat a vložit sem,pro potřebu jsem je ale opsal:

c:/program Files/.../heightmaplayeridbitmap.editor_data
c:/program Files/.../heightmaplayeridbitmap.editor_data
c:/program Files/Nero/Nero 7/backitup/.../root.img
c:/Documents and Settings/Honza Pc/.../FilePCO.Arc
c:/System Volume Information/.../FilePCO.arc
c:/System Volume Information/.../A0007893.msi

A dalších 26 se týká obrazů her

Takze takto.

Z drtive vetsiny pripadu se jedna o nelegalni kopie softwaru(her) a cracky.

Az jich bude pc zbaveno,pak dejte vedet,jestli jeste Avast neco hlasi,ok.

Takto bychom se moc daleko nedostali.

VIRY.CZ

Zdravim můj problém - Win32:Rootkit-gen [Rtk]

Zdravim můj problém - Win32:Rootkit-gen [Rtk]

Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]

Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]

Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]

Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]

Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]

Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]

Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]