VIRY.CZ

ahoj

tu je RSIT z toho druheho pocitaca, co som vam spominal. toto je vsak uz asi 4 rocne HP a uz na nom odisla dvd mechanika, tak ak mate nejake napady, tak cez CD to nepojde.


Logfile of random's system information tool 1.06 (written by random/random)
Run by mama at 2010-03-19 17:48:17
Microsoft Windows XP Professional Service Pack 2
System drive C: has 45 GB (78%) free of 57 GB
Total RAM: 446 MB (64% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"=C:\WINDOWS\system32\Ati2mdxx.exe [2001-09-04 28672]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2003-06-25 335872]
"CARPService"=C:\WINDOWS\system32\carpserv.exe [2003-11-08 4608]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2006-05-30 15360]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe

C:\Documents and Settings\mama\Start Menu\Programs\Startup
ihaupd32.exe
zipdkg32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{243f156e-b044-11de-9b45-002163e383ac}]
shell\AutoRun\command - E:\SAVEST///cista.exe
shell\open\command - E:\SAVEST///cista.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f74259ab-965e-11de-9b37-002163e383ac}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======File associations======

.exe - open - "C:\Documents and Settings\mama\Local Settings\Application Data\av.exe" /START "%1" %*

======List of files/folders created in the last 1 months======

2010-03-19 17:48:18 ----D---- C:\Program Files\trend micro
2010-03-19 17:48:17 ----D---- C:\rsit
2010-03-19 12:09:05 ----A---- C:\WINDOWS\ntbtlog.txt
2010-03-19 12:02:55 ----D---- C:\WINDOWS\_VOIDfgntspfeqq
2010-03-19 12:02:55 ----A---- C:\WINDOWS\system32\_VOIDsbllcxmlmo.dll
2010-03-19 12:02:28 ----A---- C:\WINDOWS\system32\wuaucldt.exe
2010-03-19 12:02:18 ----A---- C:\lsass.exe
2010-03-13 18:05:53 ----N---- C:\WINDOWS\system32\browserchoice.exe
2010-03-13 09:46:31 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-03-05 07:58:47 ----HDC---- C:\WINDOWS\$NtUninstallKB977165-v2$
2010-02-26 15:16:58 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$

======List of files/folders modified in the last 1 months======

2010-03-19 17:48:18 ----RD---- C:\Program Files
2010-03-19 12:12:43 ----D---- C:\WINDOWS\Temp
2010-03-19 12:12:28 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-19 12:11:38 ----D---- C:\Program Files\Mozilla Firefox
2010-03-19 12:09:34 ----SHD---- C:\System Volume Information
2010-03-19 12:09:12 ----D---- C:\WINDOWS
2010-03-19 12:03:13 ----D---- C:\WINDOWS\system32\drivers
2010-03-19 12:02:56 ----D---- C:\WINDOWS\system32
2010-03-19 12:02:53 ----D---- C:\WINDOWS\Prefetch
2010-03-19 12:02:46 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-19 12:02:44 ----SD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft
2010-03-19 12:02:42 ----D---- C:\Program Files\Opera
2010-03-19 09:42:05 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-13 18:42:24 ----HD---- C:\WINDOWS\inf
2010-03-13 09:46:38 ----D---- C:\Program Files\Movie Maker
2010-03-13 09:45:43 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-05 07:58:59 ----A---- C:\WINDOWS\imsins.BAK
2010-02-21 17:04:06 ----D---- C:\Documents and Settings\mama\Application Data\Skype
2010-02-21 16:09:30 ----D---- C:\Documents and Settings\mama\Application Data\skypePM

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 16074]
R3 RT73;RT73 USB Wireless LAN Card Driver; C:\WINDOWS\system32\DRIVERS\rt73.sys [2006-01-12 252928]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2006-05-30 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-05-30 17024]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-05-30 26496]
S1 _VOIDfgntspfeqq;_VOIDfgntspfeqq; C:\WINDOWS\_VOIDfgntspfeqq\_VOIDd.sys [2010-03-19 44032]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2006-05-30 37376]
S2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-08-31 20747]
S2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-11-08 11043]
S2 StreamDispatcher;StreamDispatcher; C:\WINDOWS\system32\DRIVERS\strmdisp.sys [2003-11-08 30592]
S3 aliadwdm;ALi Audio Accelerator WDM driver; C:\WINDOWS\system32\drivers\ac97ali.sys [2004-08-03 231552]
S3 aqie51we;aqie51we; C:\WINDOWS\system32\drivers\aqie51we.sys []
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2003-06-25 587264]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
S3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-08 1063040]
S3 HSFHWALI;HSFHWALI; C:\WINDOWS\system32\DRIVERS\HSFHWALI.sys [2003-11-08 179712]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-08 631296]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2003-06-25 294912]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

Vypadá to na stejné viry.
Tuto složku znáte? C:\WINDOWS\_VOIDfgntspfeqq

Já tu budu pořádně až večer, ale rovnou si na pc dejte ten combofix a Otm.
Také si vytáhněte důležitá data, ale raději vynechejte exe, scr, html soubory.
Je to jistotu, když Vám nejde cdromka a system by uplně spadl, tak opravnou instalaci neuděláme

nie, tu zlozku nepoznam.. nemam potuchy co to je zac.

okej, dam si tam otm a combo... a cakam na script..

Jdeme na to

Log pro OTM

:arrow:Stáhněte OTM http://oldtimer.geekstogo.com/OTM.exe
Stáhněte na plochu Otm, 2krát klikněte na Otm,spustí se program,
Do levého okna "Paste Instructions for Items to be Moved" pod žlutou čáru zkopírujete skript
-klikněte na červené tlačítko Moveit!
-sem vložte obsah zeleného okénka
-Pokud se bude chtít restartovat pc, dejte YES,log pak najdete C:\_OTM\MovedFiles. Log vložte sem


A pak rovnou spusťte combofix, logy sem vložte naráz.


Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe


- ComboFix je třeba spustit pod účtem s právy administrátora

- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary

- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano

- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna

- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah sem


Které počítače byli ve stejné síti, jako tyto dva? pravděpodobně budou také zavirované. A máte parádně zavirované flešky, takže se musí vyčistit flešky i počítače, na kterých jste je používali.
Takže napište ještě počet pc a flešek a pak s tím něco uděláme, jinak si tu infekci budete přenášet pořád dokola

takze s tymto pocitacom to bude asi trosku tazsie..
otm

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
File/Folder C:\WINDOWS\system32\*.tmp.dll not found.
File/Folder C:\WINDOWS\system32\SET*.tmp not found.
C:\WINDOWS\SET29.tmp moved successfully.
C:\WINDOWS\SET2A.tmp moved successfully.
C:\WINDOWS\SET2B.tmp moved successfully.
C:\WINDOWS\SET2C.tmp moved successfully.
C:\WINDOWS\SET2D.tmp moved successfully.
C:\WINDOWS\SET2E.tmp moved successfully.
C:\WINDOWS\SET2F.tmp moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET30.tmp moved successfully.
C:\WINDOWS\SET31.tmp moved successfully.
C:\WINDOWS\SET32.tmp moved successfully.
C:\WINDOWS\SET33.tmp moved successfully.
C:\WINDOWS\SET34.tmp moved successfully.
C:\WINDOWS\SET35.tmp moved successfully.
C:\WINDOWS\SET36.tmp moved successfully.
C:\WINDOWS\SET37.tmp moved successfully.
C:\WINDOWS\SET38.tmp moved successfully.
C:\WINDOWS\SET39.tmp moved successfully.
C:\WINDOWS\SET3A.tmp moved successfully.
C:\WINDOWS\SET3B.tmp moved successfully.
C:\WINDOWS\SET3C.tmp moved successfully.
C:\WINDOWS\SET3D.tmp moved successfully.
C:\WINDOWS\SET3E.tmp moved successfully.
C:\WINDOWS\SET3F.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET40.tmp moved successfully.
C:\WINDOWS\SET41.tmp moved successfully.
C:\WINDOWS\SET42.tmp moved successfully.
C:\WINDOWS\SET43.tmp moved successfully.
C:\WINDOWS\SET44.tmp moved successfully.
C:\WINDOWS\SET45.tmp moved successfully.
C:\WINDOWS\SET46.tmp moved successfully.
C:\WINDOWS\SET47.tmp moved successfully.
C:\WINDOWS\SET48.tmp moved successfully.
C:\WINDOWS\SET49.tmp moved successfully.
C:\WINDOWS\SET4A.tmp moved successfully.
C:\WINDOWS\SET4B.tmp moved successfully.
C:\WINDOWS\SET4C.tmp moved successfully.
C:\WINDOWS\SET4D.tmp moved successfully.
C:\WINDOWS\SET4E.tmp moved successfully.
C:\WINDOWS\SET4F.tmp moved successfully.
C:\WINDOWS\SET50.tmp moved successfully.
C:\WINDOWS\SET51.tmp moved successfully.
C:\WINDOWS\SET52.tmp moved successfully.
C:\WINDOWS\SET53.tmp moved successfully.
C:\WINDOWS\SET54.tmp moved successfully.
C:\WINDOWS\SET55.tmp moved successfully.
C:\WINDOWS\SET56.tmp moved successfully.
C:\WINDOWS\SET57.tmp moved successfully.
C:\WINDOWS\SET58.tmp moved successfully.
C:\WINDOWS\SET59.tmp moved successfully.
C:\WINDOWS\SET5A.tmp moved successfully.
C:\WINDOWS\SET5B.tmp moved successfully.
C:\WINDOWS\SET5C.tmp moved successfully.
C:\WINDOWS\SET5D.tmp moved successfully.
C:\WINDOWS\SET5E.tmp moved successfully.
C:\WINDOWS\SET5F.tmp moved successfully.
C:\WINDOWS\SET60.tmp moved successfully.
C:\WINDOWS\SET61.tmp moved successfully.
C:\WINDOWS\SET66.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\95d2b7dbf00a9b575ef47eb33aac78a2\BIT1.tmp moved successfully.
C:\WINDOWS\system32\CONFIG.TMP moved successfully.
C:\Documents and Settings\mama\Start Menu\Programs\Startup\ihaupd32.exe moved successfully.
C:\Documents and Settings\mama\Start Menu\Programs\Startup\zipdkg32.exe moved successfully.
E:\SAVEST folder moved successfully.
C:\WINDOWS\_VOIDfgntspfeqq folder moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\_VOIDsbllcxmlmo.dll
C:\WINDOWS\system32\_VOIDsbllcxmlmo.dll moved successfully.
C:\WINDOWS\system32\wuaucldt.exe moved successfully.
C:\lsass.exe moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{243f156e-b044-11de-9b45-002163e383ac}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{243f156e-b044-11de-9b45-002163e383ac}\ not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: frantisek malicky
->Temp folder emptied: 721252129 bytes
->Temporary Internet Files folder emptied: 178846726 bytes
->Flash cache emptied: 52609 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: mama
->Temp folder emptied: 22287662 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 38520461 bytes
->Opera cache emptied: 149168747 bytes
->Flash cache emptied: 10241 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: swsetup

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 40419 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 510464 bytes

Total Files Cleaned = 1 059,00 mb


Restore points cleared and new OTM Restore Point set!

OTM by OldTimer - Version 3.1.10.1 log created on 03202010_155557

Files moved on Reboot...

Registry entries deleted on Reboot...

s combom boli trosku problemy.. na zaciatku vypisalo nejaku chybu
The following files were disabled during the run:
C:\Documents and Settings\mama\Local Settings\Application Data\Windows Server\ljpdea.dll

ale ked som dal ok, tak combo pokracoval dalej. avsak po restarte nenabehol system. ked uz nahodilo pozadie winu, tak nabehla modra obrazovka a system sa znovu restartoval. to spravil 2x za sebou, tak som ho hodil do safemode. to uz ale combo nepracoval a preto mi nevyhodil ani log.
po otm som sa dostal aj do normalneho rezimu, co som sa predtym nemohol dostat. po combofix sa tam ale nemozem dostat znovu.

skusil som sa znovu dostat do toho pocitaca.. uz mi nechcelo spustit ani nudzovy rezim, tak som dal poslednu funkcnu konfiguraciu. prihlasilo ma do winu a pozeram, ze combofix stale este ide. a vyhodilo mi aj log. v tej chvili mi to pripadalo ze je vsetko ako ma byt. avsak wifi adapter ma pripoji na router, aj mi nacita ip a vsetko potrebne, internet mi ale aj tak nejde..??

Zatím se ani na internet nepřihlašujte.
Přes flešku sem přeneste log a rovnou si stahněte do pc Gmer, ale zatím ho nespouštějte, uvidím, co najdu v logu combofixu.

Doufám, že data máte zazálohované . Nevím, jak to s tímto pc dopadne, vypadá to, že tam máte pořádného rootkita .
Ted hlavně potřebuji vidět ten log z combofixu.


Ještě udělejte
stáhněte na plochu http://support.kaspersky.com/downloads/ ... killer.zip

Otevřete si Poznámkový blok a zkopírujte do něj text

-uložte jako (typ: všechny soubory) kde za název souboru zadáte "antiTDL3.bat" bez uvozovek,
-klikněte na uložit, pak na soubor standardně 2X klikněte , spustí se sken, po skončení zmáčkněte libovolnou klávesu.
-otevře se poznámkový blok, obsah zde zkopírujte

no na ten log som zabudol

ComboFix 10-03-19.08 - Administrator . 03. 2010 16:31:01.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.446.217 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
c:\documents and settings\mama\Local Settings\Application Data\Windows Server\ljpdea.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\mama\Application Data\avdrn.dat
c:\documents and settings\mama\Application Data\wiaservg.log
c:\documents and settings\mama\csrss.exe
c:\documents and settings\mama\Local Settings\Application Data\av.exe
c:\documents and settings\mama\Local Settings\Application Data\ave.exe
c:\documents and settings\mama\Local Settings\Application Data\Windows Server
c:\documents and settings\mama\Local Settings\Application Data\Windows Server\ljpdea.dll.vir
c:\recycler\S-1-5-21-1060284298-507921405-854245398-1003
c:\windows\system32\_VOIDsrcr.dat
c:\windows\system32\_VOIDxwpxmqvebi.dat
c:\windows\system32\config\systemprofile\wuaucldt.exe
c:\windows\system32\drivers\owgxuyj.sys

c:\windows\system32\drivers\cdrom.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy__VOIDd.sys
-------\Legacy__VOIDFGNTSPFEQQ
-------\Service__VOIDd.sys
-------\Service__VOIDfgntspfeqq


((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.

2010-03-20 16:03 . 2010-03-20 16:03 -------- d-----w- c:\windows\LastGood
2010-03-20 15:12 . 2010-03-20 15:27 -------- d-----w- c:\windows\LastGood.Tmp
2010-03-20 14:55 . 2010-03-20 14:55 -------- d-----w- C:\_OTM
2010-03-20 14:54 . 2010-03-20 14:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-03-19 16:48 . 2010-03-19 16:48 -------- d-----w- c:\program files\trend micro
2010-03-19 16:48 . 2010-03-19 17:10 -------- d-----w- C:\rsit
2010-03-13 17:05 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 16:05 . 2009-08-31 16:13 860672 ----a-w- c:\windows\system32\drivers\aec.sys
2010-03-19 11:02 . 2006-05-30 07:28 84800 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-03-19 11:02 . 2009-08-31 18:52 -------- d-----w- c:\program files\Opera
2010-03-19 11:02 . 2010-03-19 11:02 8 ----a-w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\zcbmvn.dat
2010-02-21 16:04 . 2010-01-28 12:05 -------- d-----w- c:\documents and settings\mama\Application Data\Skype
2010-02-21 15:09 . 2010-01-28 12:09 -------- d-----w- c:\documents and settings\mama\Application Data\skypePM
2010-02-06 14:07 . 2009-08-31 18:49 -------- d-----w- c:\documents and settings\mama\Application Data\U3
2010-01-28 12:09 . 2010-01-28 12:09 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-28 12:05 . 2010-01-28 12:05 -------- d-----r- c:\program files\Skype
2010-01-28 12:05 . 2010-01-28 12:05 -------- d-----w- c:\program files\Common Files\Skype
2010-01-28 12:05 . 2010-01-28 12:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2009-12-31 16:14 . 2006-05-30 07:28 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 02:33 . 2009-12-27 02:33 0 ----a-w- c:\windows\nsreg.dat
.

------- Sigcheck -------

[-] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\mshtml.dll
[-] 2006-05-30 . 2A7567272A55781663C1793508479674 . 3123712 . . [6.00.2900.2873] . . c:\windows\system32\mshtml.dll

[-] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wininet.dll
[-] 2006-05-30 . E8183DB3295A0D7104B978351418B51F . 668672 . . [6.00.2900.2861] . . c:\windows\system32\wininet.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2006-05-30 . CCA49B59735BB6EFE1F22AC414FF4041 . 1289728 . . [6.00.2900.2180] . . c:\windows\explorer.exe

[-] 2010-03-20 16:06 . !HASH: COULD NOT OPEN FILE !!!!! . 860672 . . [------] . . c:\windows\system32\drivers\aec.sys
[-] 2008-04-13 16:39 . !HASH: COULD NOT OPEN FILE !!!!! . 142592 . . [------] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\aec.sys

[-] 2006-05-30 07:28 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"CARPService"="carpserv.exe" [2003-11-08 4608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-05-30 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2007-11-25 589824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\mama\Local Settings\Application Data\Windows Server\ljpdea.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14. 11. 2009 9:01 721904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f74259ab-965e-11de-9b37-002163e383ac}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://travian.sk/
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.
- - - - ORPHANS REMOVED - - - -

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 17:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aec]
"ImagePath"="system32\drivers\aec.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\_VOIDd.sys]
"imagepath"="\systemroot\system32\drivers\_VOIDgbkboyutoy.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\_VOIDd.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\_VOIDgbkboyutoy.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(1048)
c:\windows\System32\cscui.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\carpserv.exe
.
**************************************************************************
.
Completion time: 2010-03-20 17:06:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-20 16:06

Pre-Run: 47 964 594 176 bytes free
Post-Run: 52 084 412 416 bytes free

- - End Of File - - 7902531EB9878C5BFA7846AC4646EE3F

Máte tam ještě rootkita, ale taky napadené syst. soubory a mimo jiné napadený driver od cdromky, možná proto nefunguje

Počkám ještě na ten Tdss killer a jdeme se s tím poprat .

Já tu budu až večer, at se hneme z místa

z přílohy si stahněte soubor, rozbalte z raru a uložte ho přímo na disk C tak, aby cesta byla
c:\aec.sys

Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka
-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:




-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

09:46:08:904 2316 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
09:46:08:904 2316 ================================================================================
09:46:08:904 2316 SystemInfo:

09:46:08:904 2316 OS Version: 5.1.2600 ServicePack: 2.0
09:46:08:904 2316 Product type: Workstation
09:46:08:914 2316 ComputerName: MAMAAOCO
09:46:08:914 2316 UserName: mama
09:46:08:914 2316 Windows directory: C:\WINDOWS
09:46:08:914 2316 Processor architecture: Intel x86
09:46:08:914 2316 Number of processors: 1
09:46:08:914 2316 Page size: 0x1000
09:46:08:914 2316 Boot type: Normal boot
09:46:08:914 2316 ================================================================================
09:46:08:924 2316 UnloadDriverW: NtUnloadDriver error 2
09:46:08:924 2316 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
09:46:08:954 2316 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
09:46:08:954 2316 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:46:08:954 2316 wfopen_ex: Trying to KLMD file open
09:46:08:954 2316 wfopen_ex: File opened ok (Flags 2)
09:46:08:954 2316 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
09:46:08:954 2316 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:46:08:954 2316 wfopen_ex: Trying to KLMD file open
09:46:08:954 2316 wfopen_ex: File opened ok (Flags 2)
09:46:08:954 2316 Initialize success
09:46:08:954 2316
09:46:08:954 2316 Scanning Services ...
09:46:09:354 2316 GetAdvancedServicesInfo: Raw services enum returned 277 services
09:46:09:354 2316
09:46:09:354 2316 Scanning Kernel memory ...
09:46:09:354 2316 Devices to scan: 4
09:46:09:364 2316
09:46:09:364 2316 Driver Name: Disk
09:46:09:364 2316 IRP_MJ_CREATE : F7755C30
09:46:09:364 2316 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
09:46:09:364 2316 IRP_MJ_CLOSE : F7755C30
09:46:09:364 2316 IRP_MJ_READ : F774FD9B
09:46:09:364 2316 IRP_MJ_WRITE : F774FD9B
09:46:09:364 2316 IRP_MJ_QUERY_INFORMATION : 804FB8EE
09:46:09:364 2316 IRP_MJ_SET_INFORMATION : 804FB8EE
09:46:09:364 2316 IRP_MJ_QUERY_EA : 804FB8EE
09:46:09:364 2316 IRP_MJ_SET_EA : 804FB8EE
09:46:09:364 2316 IRP_MJ_FLUSH_BUFFERS : F7750366
09:46:09:364 2316 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
09:46:09:364 2316 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
09:46:09:364 2316 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
09:46:09:364 2316 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
09:46:09:364 2316 IRP_MJ_DEVICE_CONTROL : F775044D
09:46:09:364 2316 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7753FC3
09:46:09:364 2316 IRP_MJ_SHUTDOWN : F7750366
09:46:09:364 2316 IRP_MJ_LOCK_CONTROL : 804FB8EE
09:46:09:364 2316 IRP_MJ_CLEANUP : 804FB8EE
09:46:09:364 2316 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
09:46:09:364 2316 IRP_MJ_QUERY_SECURITY : 804FB8EE
09:46:09:364 2316 IRP_MJ_SET_SECURITY : 804FB8EE
09:46:09:364 2316 IRP_MJ_POWER : F7751EF3
09:46:09:364 2316 IRP_MJ_SYSTEM_CONTROL : F7756A24
09:46:09:364 2316 IRP_MJ_DEVICE_CHANGE : 804FB8EE
09:46:09:364 2316 IRP_MJ_QUERY_QUOTA : 804FB8EE
09:46:09:364 2316 IRP_MJ_SET_QUOTA : 804FB8EE
09:46:09:364 2316 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
09:46:09:364 2316
09:46:09:364 2316 Driver Name: usbstor
09:46:09:364 2316 IRP_MJ_CREATE : F7AB4218
09:46:09:374 2316 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
09:46:09:374 2316 IRP_MJ_CLOSE : F7AB4218
09:46:09:374 2316 IRP_MJ_READ : F7AB423C
09:46:09:374 2316 IRP_MJ_WRITE : F7AB423C
09:46:09:374 2316 IRP_MJ_QUERY_INFORMATION : 804FB8EE
09:46:09:374 2316 IRP_MJ_SET_INFORMATION : 804FB8EE
09:46:09:374 2316 IRP_MJ_QUERY_EA : 804FB8EE
09:46:09:374 2316 IRP_MJ_SET_EA : 804FB8EE
09:46:09:374 2316 IRP_MJ_FLUSH_BUFFERS : 804FB8EE
09:46:09:374 2316 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
09:46:09:374 2316 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
09:46:09:374 2316 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
09:46:09:374 2316 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
09:46:09:374 2316 IRP_MJ_DEVICE_CONTROL : F7AB4180
09:46:09:374 2316 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7AAF9E6
09:46:09:374 2316 IRP_MJ_SHUTDOWN : 804FB8EE
09:46:09:374 2316 IRP_MJ_LOCK_CONTROL : 804FB8EE
09:46:09:374 2316 IRP_MJ_CLEANUP : 804FB8EE
09:46:09:374 2316 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
09:46:09:374 2316 IRP_MJ_QUERY_SECURITY : 804FB8EE
09:46:09:374 2316 IRP_MJ_SET_SECURITY : 804FB8EE
09:46:09:374 2316 IRP_MJ_POWER : F7AB35F0
09:46:09:374 2316 IRP_MJ_SYSTEM_CONTROL : F7AB1A6E
09:46:09:374 2316 IRP_MJ_DEVICE_CHANGE : 804FB8EE
09:46:09:374 2316 IRP_MJ_QUERY_QUOTA : 804FB8EE
09:46:09:374 2316 IRP_MJ_SET_QUOTA : 804FB8EE
09:46:09:384 2316 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
09:46:09:394 2316
09:46:09:394 2316 Driver Name: Disk
09:46:09:394 2316 IRP_MJ_CREATE : F7755C30
09:46:09:394 2316 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
09:46:09:394 2316 IRP_MJ_CLOSE : F7755C30
09:46:09:394 2316 IRP_MJ_READ : F774FD9B
09:46:09:394 2316 IRP_MJ_WRITE : F774FD9B
09:46:09:394 2316 IRP_MJ_QUERY_INFORMATION : 804FB8EE
09:46:09:394 2316 IRP_MJ_SET_INFORMATION : 804FB8EE
09:46:09:394 2316 IRP_MJ_QUERY_EA : 804FB8EE
09:46:09:394 2316 IRP_MJ_SET_EA : 804FB8EE
09:46:09:394 2316 IRP_MJ_FLUSH_BUFFERS : F7750366
09:46:09:394 2316 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
09:46:09:394 2316 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
09:46:09:394 2316 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
09:46:09:394 2316 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
09:46:09:394 2316 IRP_MJ_DEVICE_CONTROL : F775044D
09:46:09:394 2316 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7753FC3
09:46:09:394 2316 IRP_MJ_SHUTDOWN : F7750366
09:46:09:394 2316 IRP_MJ_LOCK_CONTROL : 804FB8EE
09:46:09:394 2316 IRP_MJ_CLEANUP : 804FB8EE
09:46:09:394 2316 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
09:46:09:394 2316 IRP_MJ_QUERY_SECURITY : 804FB8EE
09:46:09:394 2316 IRP_MJ_SET_SECURITY : 804FB8EE
09:46:09:394 2316 IRP_MJ_POWER : F7751EF3
09:46:09:394 2316 IRP_MJ_SYSTEM_CONTROL : F7756A24
09:46:09:394 2316 IRP_MJ_DEVICE_CHANGE : 804FB8EE
09:46:09:394 2316 IRP_MJ_QUERY_QUOTA : 804FB8EE
09:46:09:394 2316 IRP_MJ_SET_QUOTA : 804FB8EE
09:46:09:394 2316 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
09:46:09:394 2316
09:46:09:394 2316 Driver Name: atapi
09:46:09:394 2316 IRP_MJ_CREATE : F763E572
09:46:09:394 2316 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
09:46:09:394 2316 IRP_MJ_CLOSE : F763E572
09:46:09:394 2316 IRP_MJ_READ : 804FB8EE
09:46:09:394 2316 IRP_MJ_WRITE : 804FB8EE
09:46:09:394 2316 IRP_MJ_QUERY_INFORMATION : 804FB8EE
09:46:09:394 2316 IRP_MJ_SET_INFORMATION : 804FB8EE
09:46:09:394 2316 IRP_MJ_QUERY_EA : 804FB8EE
09:46:09:394 2316 IRP_MJ_SET_EA : 804FB8EE
09:46:09:394 2316 IRP_MJ_FLUSH_BUFFERS : 804FB8EE
09:46:09:394 2316 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
09:46:09:394 2316 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
09:46:09:394 2316 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
09:46:09:394 2316 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
09:46:09:394 2316 IRP_MJ_DEVICE_CONTROL : F763E592
09:46:09:394 2316 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763A7B4
09:46:09:394 2316 IRP_MJ_SHUTDOWN : 804FB8EE
09:46:09:394 2316 IRP_MJ_LOCK_CONTROL : 804FB8EE
09:46:09:394 2316 IRP_MJ_CLEANUP : 804FB8EE
09:46:09:394 2316 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
09:46:09:394 2316 IRP_MJ_QUERY_SECURITY : 804FB8EE
09:46:09:394 2316 IRP_MJ_SET_SECURITY : 804FB8EE
09:46:09:394 2316 IRP_MJ_POWER : F763E5BC
09:46:09:394 2316 IRP_MJ_SYSTEM_CONTROL : F7645164
09:46:09:394 2316 IRP_MJ_DEVICE_CHANGE : 804FB8EE
09:46:09:394 2316 IRP_MJ_QUERY_QUOTA : 804FB8EE
09:46:09:394 2316 IRP_MJ_SET_QUOTA : 804FB8EE
09:46:09:424 2316 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
09:46:09:424 2316
09:46:09:424 2316 Completed
09:46:09:424 2316
09:46:09:424 2316 Results:
09:46:09:424 2316 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
09:46:09:424 2316 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:46:09:424 2316 File objects infected / cured / cured on reboot: 0 / 0 / 0
09:46:09:424 2316
09:46:09:424 2316 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
09:46:09:424 2316 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
09:46:09:424 2316 KLMD(ARK) unloaded successfully

ComboFix 10-03-19.08 - Administrator . 03. 2010 9:58.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.446.306 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\cdrom.sys . . . is infected!!

.
--------------- FCopy ---------------

c:\aec.sys --> c:\windows\system32\drivers\aec.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy__VOIDd.sys


((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-21 08:54 . 2009-08-21 11:04 142464 ------w- C:\aec.sys
2010-03-20 14:55 . 2010-03-20 14:55 -------- d-----w- C:\_OTM
2010-03-20 14:54 . 2010-03-20 14:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-03-19 16:48 . 2010-03-19 16:48 -------- d-----w- c:\program files\trend micro
2010-03-19 16:48 . 2010-03-19 17:10 -------- d-----w- C:\rsit
2010-03-13 17:05 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 17:24 . 2009-08-31 18:52 -------- d-----w- c:\program files\Opera
2010-03-19 11:02 . 2006-05-30 07:28 84800 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-03-19 11:02 . 2010-03-19 11:02 8 ----a-w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\zcbmvn.dat
2010-02-21 16:04 . 2010-01-28 12:05 -------- d-----w- c:\documents and settings\mama\Application Data\Skype
2010-02-21 15:09 . 2010-01-28 12:09 -------- d-----w- c:\documents and settings\mama\Application Data\skypePM
2010-02-06 14:07 . 2009-08-31 18:49 -------- d-----w- c:\documents and settings\mama\Application Data\U3
2010-01-28 12:09 . 2010-01-28 12:09 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-28 12:05 . 2010-01-28 12:05 -------- d-----r- c:\program files\Skype
2010-01-28 12:05 . 2010-01-28 12:05 -------- d-----w- c:\program files\Common Files\Skype
2010-01-28 12:05 . 2010-01-28 12:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2009-12-31 16:14 . 2006-05-30 07:28 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 02:33 . 2009-12-27 02:33 0 ----a-w- c:\windows\nsreg.dat
.

------- Sigcheck -------

[-] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\mshtml.dll
[-] 2006-05-30 . 2A7567272A55781663C1793508479674 . 3123712 . . [6.00.2900.2873] . . c:\windows\system32\mshtml.dll

[-] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wininet.dll
[-] 2006-05-30 . E8183DB3295A0D7104B978351418B51F . 668672 . . [6.00.2900.2861] . . c:\windows\system32\wininet.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2006-05-30 . CCA49B59735BB6EFE1F22AC414FF4041 . 1289728 . . [6.00.2900.2180] . . c:\windows\explorer.exe

[-] 2006-05-30 07:28 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"CARPService"="carpserv.exe" [2003-11-08 4608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-05-30 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2007-11-25 589824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\mama\Local Settings\Application Data\Windows Server\ljpdea.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14. 11. 2009 9:01 721904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f74259ab-965e-11de-9b37-002163e383ac}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://travian.sk/
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 10:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(6404)
c:\windows\System32\cscui.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\carpserv.exe
.
**************************************************************************
.
Completion time: 2010-03-21 10:07:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-21 09:07
ComboFix2.txt 2010-03-20 16:06

Pre-Run: 52 067 598 336 bytes free
Post-Run: 52 037 029 888 bytes free

- - End Of File - - 30ED16F61083E440A6FC9D2463C37237

Fajn, jak to ted vypadá s počítačem?

Stahněte si tento soubor http://leteckaposta.cz/662319687, rozbalte ho a uložte přímo na disk C, tak aby cesta k němu byla
C:\cdrom.sys


Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka
-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:




-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

ComboFix 10-03-19.08 - Administrator . 03. 2010 13:01:57.3.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.446.315 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\cdrom.sys --> c:\windows\system32\drivers\cdrom.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-21 11:59 . 2004-08-03 20:59 49536 ------w- C:\cdrom.sys
2010-03-20 14:55 . 2010-03-20 14:55 -------- d-----w- C:\_OTM
2010-03-20 14:54 . 2010-03-20 14:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-03-19 16:48 . 2010-03-19 16:48 -------- d-----w- c:\program files\trend micro
2010-03-19 16:48 . 2010-03-19 17:10 -------- d-----w- C:\rsit
2010-03-13 17:05 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 17:24 . 2009-08-31 18:52 -------- d-----w- c:\program files\Opera
2010-03-19 11:02 . 2010-03-19 11:02 8 ----a-w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\zcbmvn.dat
2010-02-21 16:04 . 2010-01-28 12:05 -------- d-----w- c:\documents and settings\mama\Application Data\Skype
2010-02-21 15:09 . 2010-01-28 12:09 -------- d-----w- c:\documents and settings\mama\Application Data\skypePM
2010-02-06 14:07 . 2009-08-31 18:49 -------- d-----w- c:\documents and settings\mama\Application Data\U3
2010-01-28 12:09 . 2010-01-28 12:09 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-28 12:05 . 2010-01-28 12:05 -------- d-----r- c:\program files\Skype
2010-01-28 12:05 . 2010-01-28 12:05 -------- d-----w- c:\program files\Common Files\Skype
2010-01-28 12:05 . 2010-01-28 12:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2009-12-31 16:14 . 2006-05-30 07:28 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 02:33 . 2009-12-27 02:33 0 ----a-w- c:\windows\nsreg.dat
.

------- Sigcheck -------

[-] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\mshtml.dll
[-] 2006-05-30 . 2A7567272A55781663C1793508479674 . 3123712 . . [6.00.2900.2873] . . c:\windows\system32\mshtml.dll

[-] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wininet.dll
[-] 2006-05-30 . E8183DB3295A0D7104B978351418B51F . 668672 . . [6.00.2900.2861] . . c:\windows\system32\wininet.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2006-05-30 . CCA49B59735BB6EFE1F22AC414FF4041 . 1289728 . . [6.00.2900.2180] . . c:\windows\explorer.exe

[-] 2006-05-30 07:28 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-20_16.03.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-31 16:13 . 2009-08-21 11:04 142464 c:\windows\system32\drivers\aec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"CARPService"="carpserv.exe" [2003-11-08 4608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-05-30 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2007-11-25 589824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\mama\Local Settings\Application Data\Windows Server\ljpdea.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14. 11. 2009 9:01 721904]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 13:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(220)
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(1200)
c:\windows\System32\cscui.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
.
Completion time: 2010-03-21 13:09:19
ComboFix-quarantined-files.txt 2010-03-21 12:09
ComboFix2.txt 2010-03-20 16:06

Pre-Run: 52 044 042 240 bytes free
Post-Run: 52 016 861 184 bytes free

- - End Of File - - 47149CEB2F83E38CD2AC85C5CCDAABAA