VIRY.CZ

Hezky den,
pomozte, prosim, bezradnemu.

Trva klidne az 20min., nez po startu Win zacne reagovat Start a cely Hlavni panel.
A taky zmizel panel Jazyku (v nasteveni nelze naskrtnout) a panel Avast!u - to asi po tom, co Avast neco nekde nasel, a ja rekl smazat pro vsechny (odtud jiste chapete, ze nejsem kovany uzivatel a pripadnou pomoc, prosim, formulujte po lopate).
Predem Vam vsem dekuji.

Projel jsem to MWAV.exe s nasledujicim vysledkem (vynechany nejake chyby, ktere pripadly nevyznamne, mohu dodat):

** Scanning may fail! File Locked [SUSPICIOUS]: C:\WINDOWS\system32\Drivers\sptd.sys (????)
Objekt "kazaa Spyware/Adware" nalezen v souborovém systému! Provedené akce: Ponecháno, neodstraněno!.
Objekt "Winvestigator Commercial KeyLogger" nalezen v souborovém systému! Provedené akce: Ponecháno, neodstraněno!.
Objekt "zipitpro Spyware/Adware" nalezen v souborovém systému! Provedené akce: Ponecháno, neodstraněno!.
Objekt "Backdoor (IRCBot) Trojans Spyware/Adware" nalezen v souborovém systému! Provedené akce: Ponecháno, neodstraněno!.
Objekt "Backdoor (IRCBot) Trojans Spyware/Adware" nalezen v souborovém systému! Provedené akce: Ponecháno, neodstraněno!.
Objekt "DiskKnight Adware" nalezen v souborovém systému! Provedené akce: Ponecháno, neodstraněno!.
Objekt "AntiSpyware Pro XP Corrupted Adware/Spyware" nalezen v souborovém systému! Provedené akce: Ponecháno, neodstraněno!.
Objekt "Spyware.KeyProwler Corrupted Adware/Spyware" nalezen v souborovém systému! Provedené akce: Ponecháno, neodstraněno!.

A potom ComboFix.exe, zde cely log (zmenil jsem jmeno za Uzivatel):

ComboFix 10-03-19.08 - Uzivatel 23.03.2010 20:52:46.11.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.750.473 [GMT 1:00]
Spuštěný z: c:\documents and settings\ Uzivatel\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100323-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\regedit.com
c:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-23 do 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-21 20:51 . 2010-03-21 20:51 -------- d---a-w- c:\windows\VDLL.DLL
2010-03-21 20:51 . 2010-03-21 20:51 -------- d---a-w- c:\windows\system32\runouce.exe
2010-03-21 20:51 . 2010-03-21 20:51 -------- d---a-w- c:\windows\RUNDL132.EXE
2010-03-21 20:51 . 2010-03-21 20:51 -------- d---a-w- c:\windows\logo_1.exe
2010-03-21 20:46 . 2010-03-21 20:46 632064 ----a-w- c:\windows\system32\msvcr80.dll
2010-03-21 20:46 . 2010-03-21 20:46 554240 ----a-w- c:\windows\system32\msvcp80.dll
2010-03-21 20:46 . 2010-03-21 20:46 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-03-21 20:46 . 2004-08-18 12:00 147968 ----a-w- c:\windows\R.COM
2010-03-21 20:46 . 2004-08-18 12:00 137216 ----a-w- c:\windows\system32\T.COM
2010-03-21 20:46 . 2010-03-21 20:46 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-03-21 19:51 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\32076202.sys
2010-03-21 19:51 . 2009-10-09 21:31 315408 ----a-w- c:\windows\system32\drivers\3207620.sys
2010-03-21 19:51 . 2009-09-25 15:59 128016 ----a-w- c:\windows\system32\drivers\32076201.sys
2010-03-20 22:01 . 2010-03-20 22:01 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-03-20 22:01 . 2010-03-20 22:10 -------- d-----w- c:\program files\Spyware Terminator
2010-03-07 11:07 . 2004-08-03 21:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-07 11:06 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-03-01 13:34 . 2010-03-01 13:34 -------- d-----w- c:\program files\Fotolab

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 15:55 . 2007-01-22 14:30 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-04 18:43 . 2009-10-07 19:51 -------- d-----w- c:\program files\rajce
2010-01-28 08:56 . 2007-01-16 16:30 -------- d-----w- c:\program files\Google
2009-12-31 16:14 . 2004-08-18 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2008-08-14 14:39 . 2008-08-14 14:39 1495112 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-03-09_18.05.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-23 18:32 . 2010-03-23 18:32 16384 c:\windows\temp\Perflib_Perfdata_740.dat
+ 2010-03-21 20:27 . 2010-03-21 20:27 16384 c:\windows\temp\Perflib_Perfdata_4f4.dat
+ 2008-11-20 09:34 . 2008-07-08 12:59 18296 c:\windows\system32\spmsg.dll
- 2008-11-20 09:34 . 2009-05-26 11:40 18296 c:\windows\system32\spmsg.dll
+ 2010-03-20 15:59 . 2010-03-20 15:59 22528 c:\windows\Installer\6fc41.msi
+ 2006-09-21 11:06 . 2009-10-23 14:27 3555328 c:\windows\system32\dllcache\moviemk.exe
- 2006-09-21 11:06 . 2004-08-18 12:00 3555328 c:\windows\system32\dllcache\moviemk.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-03-20 3037696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-06 114688]
"CHotkey"="mHotkey.exe" [2002-08-02 473600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R0 32076202;32076202 Boot Guard Driver;c:\windows\system32\drivers\32076202.sys [21.3.2010 20:51 37392]
R1 32076201;32076201;c:\windows\system32\drivers\32076201.sys [21.3.2010 20:51 128016]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1.5.2009 07:10 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [20.3.2010 23:01 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1.5.2009 07:10 20560]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 gupdate1c8d5c084debec0;Google Update Service (gupdate1c8d5c084debec0);c:\program files\Google\Update\GoogleUpdate.exe [12.7.2008 08:34 133104]
S3 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT;c:\program files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE [3.5.2005 21:42 323584]
.
Obsah adresáře 'Naplánované úlohy'

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-12 21:48]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-12 21:48]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.centrum.cz/skinit/icq/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {8E00B58F-70C0-4C99-A133-A6C0197A66F7} = 10.0.0.138,212.80.66.7
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD LT 2002 Cz\InstFred.ocx
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD LT 2002 Cz\InstBanr.ocx
FF - ProfilePath - c:\documents and settings\ Uzivatel\Data aplikací\Mozilla\Firefox\Profiles\631d832x.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.centrum.cz
FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatcher.aspx? ... 60327&qkw=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 21:00
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
Celkový čas: 2010-03-23 21:04:37
ComboFix-quarantined-files.txt 2010-03-23 20:04
ComboFix2.txt 2010-03-21 20:44
ComboFix3.txt 2010-03-20 19:49
ComboFix4.txt 2010-03-20 16:33
ComboFix5.txt 2010-03-23 19:51

Před spuštěním: 880 742 400
Po spuštění: 1 141 903 360

- - End Of File - - A75754D8F24B8B02D044A532F223CB6B

Ještě dočistíme. otevřte poznámkový blok a zkopírujte do něj:

Collect::
c:\windows\system32\drivers\32076202.sys
c:\windows\system32\drivers\3207620.sys
c:\windows\system32\drivers\32076201.sys

Driver::
32076202
3207620
32076201

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

Obrázek

Diky moc, ale nepomohlo to.
SDFix i MWAV stale neco nalezaji a ja si nedovolim to jenom tak vymazat.

Zkusim prilozit jeste log z RSIT.
Anebo kdybych mohl udelat jeste neco, prosim, poradte.
DikB

Logfile of random's system information tool 1.06 (written by random/random)
Run by User at 2010-03-25 17:23:37
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 842 MB (8%) free of 10 GB
Total RAM: 750 MB (54% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:23:49, on 25.3.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\User\Plocha\RSIT.exe
C:\Program Files\trend micro\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centrum.cz/skinit/icq/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: _uninst_setup_9.0.0.722_21.03.2010_18-46.exe.lnk = C:\Documents and Settings\User\Local Settings\temp\_uninst_setup_9.0.0.722_21.03.2010_18-46.exe.bat
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002 Cz\InstFred.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Ovládací prvek AcDcToday) - file://C:\Program Files\AutoCAD LT 2002 Cz\AcDcToday.ocx
O16 - DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002 Cz\InstBanr.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Prvek AcPreview) - file://C:\Program Files\AutoCAD LT 2002 Cz\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E00B58F-70C0-4C99-A133-A6C0197A66F7}: NameServer = 10.0.0.138,212.80.66.7
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c8d5c084debec0) (gupdate1c8d5c084debec0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5854 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2003-04-06 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2003-04-06 114688]
"CHotkey"=C:\WINDOWS\mHotkey.exe [2002-08-02 473600]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminatorUpdate"=C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe [2010-03-20 3037696]

C:\Documents and Settings\User\Nabídka Start\Programy\Po spuštění
_uninst_setup_9.0.0.722_21.03.2010_18-46.exe.lnk - C:\Documents and Settings\User\Local Settings\temp\_uninst_setup_9.0.0.722_21.03.2010_18-46.exe.bat

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-04-06 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-09-20 441136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\WgaTray.exe"="C:\WINDOWS\system32\WgaTray.exe:*:Enabled:ENABLE"
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe:*:Enabled:ENABLE"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 2 months======

2010-03-25 17:23:39 ----D---- C:\Program Files\trend micro
2010-03-25 17:23:37 ----D---- C:\rsit
2010-03-24 12:44:49 ----A---- C:\SDFix.exe
2010-03-24 09:56:29 ----A---- C:\ComboFix.txt
2010-03-24 09:26:08 ----AD---- C:\WINDOWS\rundll16.exe
2010-03-24 09:26:08 ----AD---- C:\WINDOWS\logo1_.exe
2010-03-21 21:51:15 ----AD---- C:\WINDOWS\VDLL.DLL
2010-03-21 21:51:15 ----AD---- C:\WINDOWS\system32\runouce.exe
2010-03-21 21:51:15 ----AD---- C:\WINDOWS\RUNDL132.EXE
2010-03-21 21:51:15 ----AD---- C:\WINDOWS\logo_1.exe
2010-03-21 21:46:44 ----A---- C:\WINDOWS\system32\msvcr80.dll
2010-03-21 21:46:43 ----A---- C:\WINDOWS\system32\msvcp80.dll
2010-03-21 21:46:42 ----A---- C:\WINDOWS\system32\eEmpty.exe
2010-03-21 21:46:36 ----A---- C:\WINDOWS\system32\T.COM
2010-03-21 21:46:36 ----A---- C:\WINDOWS\R.COM
2010-03-21 21:46:34 ----D---- C:\Program Files\Common Files\MicroWorld
2010-03-21 21:46:32 ----D---- C:\Documents and Settings\All Users\Data aplikací\MicroWorld
2010-03-20 23:01:12 ----D---- C:\Documents and Settings\User\Data aplikací\Spyware Terminator
2010-03-20 23:01:04 ----D---- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2010-03-20 23:01:01 ----D---- C:\Program Files\Spyware Terminator
2010-03-14 11:13:00 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-03-09 17:38:28 ----A---- C:\WINDOWS\MBR.exe
2010-03-09 17:38:27 ----A---- C:\WINDOWS\PEV.exe
2010-03-01 14:38:51 ----D---- C:\Documents and Settings\All Users\Data aplikací\hps
2010-03-01 14:34:23 ----D---- C:\Program Files\Fotolab
2010-02-28 00:11:33 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-16 23:45:13 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-13 22:39:38 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-13 22:39:22 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-13 22:39:07 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-13 22:38:50 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-13 22:38:32 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-13 22:38:13 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-13 22:37:49 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$

======List of files/folders modified in the last 2 months======

2010-03-25 17:23:41 ----D---- C:\WINDOWS\Prefetch
2010-03-25 17:23:39 ----D---- C:\Program Files
2010-03-25 17:21:31 ----D---- C:\Program Files\Mozilla Firefox
2010-03-25 17:04:02 ----D---- C:\WINDOWS\temp
2010-03-24 15:20:15 ----D---- C:\SDFix
2010-03-24 12:15:13 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-24 12:08:27 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-24 09:56:34 ----AD---- C:\Qoobox
2010-03-24 09:52:22 ----D---- C:\WINDOWS
2010-03-24 09:52:22 ----A---- C:\WINDOWS\system.ini
2010-03-24 09:51:20 ----D---- C:\WINDOWS\system32
2010-03-24 09:48:58 ----D---- C:\WINDOWS\system32\drivers
2010-03-24 09:48:58 ----D---- C:\WINDOWS\AppPatch
2010-03-24 09:48:50 ----D---- C:\Program Files\Common Files
2010-03-23 23:27:56 ----D---- C:\WINDOWS\system32\config
2010-03-23 23:27:23 ----D---- C:\WINDOWS\ERDNT
2010-03-23 20:51:23 ----SHD---- C:\System Volume Information
2010-03-23 20:51:23 ----D---- C:\WINDOWS\system32\Restore
2010-03-21 22:33:02 ----HD---- C:\WINDOWS\inf
2010-03-20 17:17:06 ----SHD---- C:\WINDOWS\CSC
2010-03-20 16:59:57 ----SHD---- C:\WINDOWS\Installer
2010-03-20 16:55:00 ----D---- C:\Program Files\Mozilla Thunderbird
2010-03-14 11:13:03 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-14 11:13:03 ----D---- C:\Program Files\Movie Maker
2010-03-14 11:12:10 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-09 19:29:57 ----D---- C:\TeXLive2007
2010-03-06 01:22:48 ----D---- C:\Documents and Settings\User\Data aplikací\ICQ
2010-03-04 19:43:53 ----D---- C:\Program Files\rajce
2010-01-28 09:56:50 ----D---- C:\Program Files\Google

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-25 27408]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-11-25 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-25 48560]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-18 39936]
R1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-17 14848]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-11-25 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-11-25 94160]
R2 irda;Protokol IrDA; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-04 87424]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-25 23120]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 cs429x;Cirrus Logic WDM Audio Codec Driver; C:\WINDOWS\system32\drivers\cwawdm.sys [2003-04-25 111104]
R3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-04-15 90907]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2004-08-04 28672]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-18 26624]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S3 catchme;catchme; \??\C:\DOCUME~1\NORBER~1\LOCALS~1\Temp\catchme.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-11-25 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-11-25 138680]
R2 Irmon;Sledování infračerveného přenosu; C:\WINDOWS\system32\svchost.exe [2004-08-18 14336]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MSSQL$AUTODESKVAULT;MSSQL$AUTODESKVAULT; C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe [2005-05-04 9150464]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2010-03-20 488960]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-11-25 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-11-25 352920]
S2 gupdate1c8d5c084debec0;Google Update Service (gupdate1c8d5c084debec0); C:\Program Files\Google\Update\GoogleUpdate.exe [2008-08-31 133104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2007-01-02 72704]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2005-05-03 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT; C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE [2005-05-03 323584]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-18 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Rád bych viděl log z ComboFix. Smazané položky byly rootkity a ty mohly zakrýt další šmejdy.

Zdravim.
Tedy z ComboFixu (opet jse uziv. jmeno nahradil stidlive User):

ComboFix 10-03-25.09 - User 26.03.2010 18:05:20.14.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.750.430 [GMT 1:00]
Spuštěný z: c:\documents and settings\User\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100325-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\Webroot\WEBROO~1\Backup\ntSVc.ocx

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-26 do 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-25 20:27 . 2010-03-25 20:27 -------- d-----w- c:\program files\MSSOAP
2010-03-25 20:27 . 2009-11-06 14:19 1563008 ----a-w- c:\windows\WRSetup.dll
2010-03-25 20:27 . 2010-03-25 20:27 -------- d-----w- c:\program files\Webroot
2010-03-25 20:10 . 2010-03-25 20:10 164 ----a-w- c:\windows\install.dat
2010-03-25 16:23 . 2010-03-25 16:23 -------- d-----w- c:\program files\trend micro
2010-03-25 16:23 . 2010-03-25 16:23 -------- d-----w- C:\rsit
2010-03-24 11:44 . 2010-03-24 11:44 0 ----a-w- C:\SDFix.exe
2010-03-24 08:26 . 2010-03-24 08:26 -------- d---a-w- c:\windows\rundll16.exe
2010-03-24 08:26 . 2010-03-24 08:26 -------- d---a-w- c:\windows\logo1_.exe
2010-03-21 20:51 . 2010-03-21 20:51 -------- d---a-w- c:\windows\VDLL.DLL
2010-03-21 20:51 . 2010-03-21 20:51 -------- d---a-w- c:\windows\system32\runouce.exe
2010-03-21 20:51 . 2010-03-21 20:51 -------- d---a-w- c:\windows\RUNDL132.EXE
2010-03-21 20:51 . 2010-03-21 20:51 -------- d---a-w- c:\windows\logo_1.exe
2010-03-21 20:46 . 2010-03-21 20:46 632064 ----a-w- c:\windows\system32\msvcr80.dll
2010-03-21 20:46 . 2010-03-21 20:46 554240 ----a-w- c:\windows\system32\msvcp80.dll
2010-03-21 20:46 . 2010-03-21 20:46 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-03-21 20:46 . 2004-08-18 12:00 147968 ----a-w- c:\windows\R.COM
2010-03-21 20:46 . 2004-08-18 12:00 137216 ----a-w- c:\windows\system32\T.COM
2010-03-21 20:46 . 2010-03-21 20:46 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-03-20 22:01 . 2010-03-20 22:01 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-03-20 22:01 . 2010-03-20 22:10 -------- d-----w- c:\program files\Spyware Terminator
2010-03-07 11:07 . 2004-08-03 21:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-07 11:06 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-03-01 13:34 . 2010-03-01 13:34 -------- d-----w- c:\program files\Fotolab

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 20:28 . 2010-03-25 20:28 775168 ----a-w- c:\windows\isRS-000.tmp
2010-03-20 15:55 . 2007-01-22 14:30 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-04 18:43 . 2009-10-07 19:51 -------- d-----w- c:\program files\rajce
2010-01-28 08:56 . 2007-01-16 16:30 -------- d-----w- c:\program files\Google
2009-12-31 16:14 . 2004-08-18 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2008-08-14 14:39 . 2008-08-14 14:39 1495112 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-03-09_18.05.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-25 20:32 . 2010-03-25 20:32 16384 c:\windows\temp\Perflib_Perfdata_d4.dat
+ 2010-03-25 20:32 . 2010-03-25 20:32 16384 c:\windows\temp\Perflib_Perfdata_520.dat
+ 2009-11-06 11:00 . 2009-11-06 11:00 31088 c:\windows\system32\wrLZMA.dll
+ 2009-11-06 11:00 . 2009-11-06 11:00 16240 c:\windows\system32\SsiEfr.exe
+ 2008-11-20 09:34 . 2008-07-08 12:59 18296 c:\windows\system32\spmsg.dll
- 2008-11-20 09:34 . 2009-05-26 11:40 18296 c:\windows\system32\spmsg.dll
+ 2009-11-06 11:00 . 2009-11-06 11:00 23152 c:\windows\system32\drivers\sshrmd.sys
+ 2009-11-06 11:00 . 2009-11-06 11:00 29808 c:\windows\system32\drivers\ssfs0bbc.sys
+ 2006-09-21 11:16 . 2010-03-25 20:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-09-21 11:16 . 2010-03-07 11:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-09-21 11:16 . 2010-03-07 11:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-09-21 11:16 . 2010-03-25 20:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-03-25 20:32 . 2010-03-25 20:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-03-20 15:59 . 2010-03-20 15:59 22528 c:\windows\Installer\6fc41.msi
+ 2010-03-25 20:27 . 2010-03-25 20:27 10134 c:\windows\Installer\{3F5B6210-0903-4DC6-8034-8F488AA3A782}\ARPPRODUCTICON.exe
+ 2010-03-25 20:28 . 2010-03-25 20:28 10134 c:\windows\Installer\{32343DB6-9A52-40C9-87E4-5E7C79791C87}\ARPPRODUCTICON.exe
+ 2009-11-06 11:00 . 2009-11-06 11:00 176752 c:\windows\system32\drivers\ssidrv.sys
+ 2010-03-25 20:28 . 2009-11-06 14:14 511328 c:\windows\system32\capicom.dll
- 2006-09-21 11:06 . 2004-08-18 12:00 3555328 c:\windows\system32\dllcache\moviemk.exe
+ 2006-09-21 11:06 . 2009-10-23 14:27 3555328 c:\windows\system32\dllcache\moviemk.exe
+ 2010-03-25 20:28 . 2010-03-25 20:28 1473024 c:\windows\Installer\7211838.msi
+ 2010-03-25 20:27 . 2010-03-25 20:27 2981376 c:\windows\Installer\7211832.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-11-06 14:14 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-03-20 3037696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-06 114688]
"CHotkey"="mHotkey.exe" [2002-08-02 473600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [6.11.2009 12:00 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1.5.2009 07:10 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [20.3.2010 23:01 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1.5.2009 07:10 20560]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [25.3.2010 21:29 1201640]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 gupdate1c8d5c084debec0;Google Update Service (gupdate1c8d5c084debec0);c:\program files\Google\Update\GoogleUpdate.exe [12.7.2008 08:34 133104]
S3 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT;c:\program files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE [3.5.2005 21:42 323584]

--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - SSFS0BBC
*NewlyCreated* - SSHRMD
*NewlyCreated* - SSIDRV
*NewlyCreated* - WEBROOTSPYSWEEPERSERVICE
*NewlyCreated* - WRCONSUMERSERVICE
.
Obsah adresáře 'Naplánované úlohy'

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-12 21:48]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-12 21:48]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.centrum.cz/skinit/icq/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {8E00B58F-70C0-4C99-A133-A6C0197A66F7} = 10.0.0.138,212.80.66.7
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD LT 2002 Cz\InstFred.ocx
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD LT 2002 Cz\InstBanr.ocx
FF - ProfilePath - c:\documents and settings\User\Data aplikací\Mozilla\Firefox\Profiles\631d832x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.centrum.cz
FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatcher.aspx? ... 60327&qkw=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-{95E0E6DC-C308-4C96-BEDB-68C75A32FAF8}_is1 - c:\program files\Tetris\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 18:14
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
Celkový čas: 2010-03-26 18:18:57
ComboFix-quarantined-files.txt 2010-03-26 17:18
ComboFix2.txt 2010-03-24 08:56
ComboFix3.txt 2010-03-23 23:08
ComboFix4.txt 2010-03-23 20:04
ComboFix5.txt 2010-03-26 17:03

Před spuštěním: 453 128 192
Po spuštění: 429 137 920

- - End Of File - - C8630C8063354EB2DDCCFCA48A28BAF6

Log již vypadá čistý. Co našly MBAM a SDFix?

MBAM prikladam, SDFix prilozim, jen co najdu nejcerstversi.
CusB

Malwarebytes' Anti-Malware 1.44
Verze databáze: 3919
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

26.3.2010 21:54:20
mbam-log-2010-03-26 (21-54-02).txt

Typ kontroly: Rychlá kontrola
Zkontrolované objekty: 127387
Uplynulý čas: 13 minute(s), 15 second(s)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované adresáře: 0
Infikované soubory: 1

Infikované procesy v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované moduly v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované klíče registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované hodnoty registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované datové položky registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované adresáře:
(Nebyly nalezeny žádné škodlivé položky)

Infikované soubory:
C:\Documents and Settings\Norbert Pomp\Data aplikací\avdrn.dat (Malware.Trace) -> No action taken.

Položku smažte.

Zdravim Rudy,
MBam jsem projel znovu a co nasel (1ks) odstranil. Restart...SDFix projel, nasel a nesmazal:

SDFix: Version 1.240
Run by Norbert Pomp on so 27.03.2010 at 19:45

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFiX_\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

Could Not Remove C:\WINDOWS\rundl132.exe

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 20:20:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\WgaTray.exe"="C:\\WINDOWS\\system32\\WgaTray.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe:*:Enabled:ENABLE"
"C:\\Program Files\\ICQ6.5\\ICQ.exe"="C:\\Program Files\\ICQ6.5\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\rundl132.exe Found

File Backups: - C:\SDFiX_\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 16 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

Zlikvidoval v podstatě jen zbytek po MWAV (C:\WINDOWS\rundl132.exe) Změnilo se něco?

Stale dlouhy nabeh, nez zacne fungovat hlavni panel a Start a stale chybi panel Jazyku (v nastaveni Jazykovem a mistnim je tlacitko Zapnout panel jazyku neaktivni sedive). A neobevuje se ani panel Avast!u.
Zacinam si myslet, ze je potreba trochu vyspravit system, udajne existuji CD, ktere to umi bez me vyrazne pomoci..
Diky moc.
CusBert

Zkuste obnovu systému k datu, kdy korektně fungoval.

VIRY.CZ

Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...

Re: Dlouhy start WinXP, log ComboFix, MWAV:kazaa,zipitpro...