Win32:Rootkit-Gen - nepřihlašoval se

[vazny]

Kamarád mne poprosil o záchranu nb jeho syna.

Win XP, Při zapnutí se po dlouhé době objevila hláška žádající změnu admin hesla, které údajně vypršelo, změnil jsem ho na neutrální, pak se mi s tím samým heslem podařilo přihlásit. AVAST je plný hlášek Win32:Rootkit-Gen.

Počítač ztratil schopnost se připojit k wifi.

Do vlastní sítě za router a slaboučký firewall DLINK jsem neměl odvahu si ho kabelem připojit.

Log z RSIT:

Logfile of random's system information tool 1.06 (written by random/random)
Run by admin at 2010-04-04 09:49:54
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 912 MB (2%) free of 50 GB
Total RAM: 2043 MB (65% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\Norton Security Scan for admin.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{1307A713-10D0-4BB9-926D-E1A68A97C2A0}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Podpora odkazu pro Adobe PDF Reader - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2010-01-29 329312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3134413B-49B4-425C-98A5-893C1F195601}]
BHO_Startup Class - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll [2008-05-02 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
MyPlayCity Toolbar - C:\Program Files\MyPlayCity\tbMyP1.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
TorrentMan Toolbar - C:\Program Files\TorrentMan\tbTor1.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-04-16 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF21F1DB-80C6-11D3-9483-B03D0EC10000}]
Credential Manager for HP ProtectTools - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll [2008-09-23 98064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-11 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
SweetIM Toolbar Helper - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [2009-10-19 1345336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{855F3B16-6D32-4fe6-8A56-BBB695989046} - ICQToolBar - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll [2008-12-09 958200]
{7c5c0f58-e061-457d-9033-77307f5ed00c} - TorrentMan Toolbar - C:\Program Files\TorrentMan\tbTor1.dll []
{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - MyPlayCity Toolbar - C:\Program Files\MyPlayCity\tbMyP1.dll []
{EEE6C35B-6118-11DC-9C72-001320C79847} - SweetIM Toolbar for Internet Explorer - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll [2009-10-19 1345336]
{32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2009-11-24 953800]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-12-04 1310720]
"VisualTooltip"=C:\Program Files\Utilities\VisualTooltip\VisualToolTip.exe [2006-12-27 955904]
"QlbCtrl.exe"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2008-05-14 177456]
"AccelerometerSysTrayApplet"=c:\WINDOWS\system32\AccelerometerSt.Exe [2008-06-09 82224]
"PDF Complete"=C:\Program Files\PDF Complete\pdfsty.exe [2008-05-12 318488]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2008-06-20 178712]
"IntelZeroConfig"=C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe [2008-08-20 1368064]
"IntelWireless"=C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [2008-08-20 1191936]
"File Sanitizer"=C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe [2008-05-02 10244096]
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [2008-03-24 884736]
""= []
"accrdsub"=c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [2007-11-27 298536]
"PTHOSTTR"=c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE [2008-10-07 349488]
"CognizanceTS"=c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll [2008-09-23 24848]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2008-04-04 1044480]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-06-16 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-06-16 81920]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-03-06 177472]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2008-12-08 54576]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-11-25 81000]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"SweetIM"=C:\Program Files\SweetIM\Messenger\SweetIM.exe [2009-10-20 111928]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2010-01-29 198160]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"LClock"=C:\Program Files\LClock\lclock.exe [2004-09-19 65536]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden []
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe -silent []
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-04-16 39408]
"Sony Ericsson PC Suite"=C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [2009-09-24 434176]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2009-10-09 25623336]
"DAEMON Tools Lite"=D:\Program Files\DAEMON Tools Lite\DTLite.exe [2009-10-30 369200]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Documents and Settings\admin\Start Menu\Programs\Startup
winesm32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="APSHook.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ackpbsc]
c:\WINDOWS\system32\ackpbsc.dll [2007-11-27 109568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acunlock]
c:\Program Files\ActivIdentity\ActivClient\acunlock.dll [2007-11-27 286720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-05-08 126976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OneCard]
c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [2008-09-23 158992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2007-01-17 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableCAD"=1
"DisableStatusMessages"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=255
"ForceClassicControlPanel"=1
"NoResolveTrack"=1
"NoResolveSearch"=1
"NoInstrumentation"=1
"NoStartMenuMFUprogramsList"=1
"NoSMHelp"=1
"NoSMConfigurePrograms"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\NFS3.EXE"="E:\NFS3.EXE:*:Enabled:Need For Speed III for Win32"
"C:\Program Files\Duke Nukem - Manhattan Project\prism3d.exe"="C:\Program Files\Duke Nukem - Manhattan Project\prism3d.exe:*:Enabled:prism3d"
"C:\Program Files\Electronic Arts\Need For Speed III\nfs3.exe"="C:\Program Files\Electronic Arts\Need For Speed III\nfs3.exe:*:Enabled:Need For Speed III for Win32"
"C:\Program Files\FlightGear\bin\win32\fgfs.exe"="C:\Program Files\FlightGear\bin\win32\fgfs.exe:*:Enabled:fgfs"
"C:\Documents and Settings\admin\Desktop\Skies\Skies.exe"="C:\Documents and Settings\admin\Desktop\Skies\Skies.exe:*:Enabled:Skies beta"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Metin2_TESTER\metin2.bin"="C:\Program Files\Metin2_TESTER\metin2.bin:*:Enabled:metin2"
"C:\Program Files\EA GAMES\Battlefield 2 Demo\BF2.exe"="C:\Program Files\EA GAMES\Battlefield 2 Demo\BF2.exe:*:Enabled:Battlefield 2"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\BitLord\BitLord.exe"="C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord"
"C:\Program Files\GameSpy Arcade\Aphex.exe"="C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\GameTop.com\Extreme Racers\Extreme Racers.exe"="C:\Program Files\GameTop.com\Extreme Racers\Extreme Racers.exe:*:Enabled:Cipher Game Engine"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Disabled:EA Download Manager"
"D:\GameSpy Arcade\Aphex.exe"="D:\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer"
"D:\Games\Metin2_TESTER\metin2.bin"="D:\Games\Metin2_TESTER\metin2.bin:*:Enabled:metin2"
"D:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat"="D:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:*:Enabled:The Battle for Middle-earth(tm) II"
"C:\Documents and Settings\admin\Application Data\Facebook\facebook.exe"="C:\Documents and Settings\admin\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook"
"C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe"="C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.1"
"D:\Games\Metin2_TESTER\metin2client.bin"="D:\Games\Metin2_TESTER\metin2client.bin:*:Enabled:metin2client"
"C:\Program Files\Google\Chrome\Application\chrome.exe"="C:\Program Files\Google\Chrome\Application\chrome.exe:*:Enabled:Google Chrome"
"D:\Program Files\XIII\system\XIII.exe"="D:\Program Files\XIII\system\XIII.exe:*:Enabled:XIII"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Cenega Czech\VIETCONG\vietcong.exe"="C:\Program Files\Cenega Czech\VIETCONG\vietcong.exe:*:Enabled:vietcong"
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{337a25e6-c475-11dd-a3a4-001f29b3648c}]
shell\AutoRun\command - G:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{980489a0-c1f7-11dd-a39f-001f29b3648c}]
shell\AutoRun\command - F:\InstallSeagateManager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da33aba5-c1d3-11dd-a39b-001f29b3648c}]
shell\AutoRun\command - G:\bootcd\wintools\autorun.exe
shell\Option1\command - G:\bootcd\wintools\autorun.exe


======File associations======

.scr - open - "%1" /S "%3"

======List of files/folders created in the last 1 months======

2010-04-04 09:49:55 ----D---- C:\Program Files\trend micro
2010-04-04 09:49:54 ----D---- C:\rsit

======List of files/folders modified in the last 1 months======

2010-04-04 09:49:55 ----RD---- C:\Program Files
2010-04-04 09:49:32 ----D---- C:\Temp
2010-04-04 09:49:29 ----D---- C:\WINDOWS\Temp
2010-04-04 09:48:07 ----SD---- C:\WINDOWS\Tasks
2010-04-04 09:48:00 ----D---- C:\WINDOWS\system32\drivers
2010-04-04 09:46:36 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-04 09:45:10 ----D---- C:\Documents and Settings\admin\Application Data\skypePM
2010-04-04 09:44:51 ----D---- C:\Documents and Settings\admin\Application Data\Skype
2010-04-04 09:44:24 ----HD---- C:\WINDOWS\inf
2010-04-04 09:44:21 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-04 09:37:42 ----A---- C:\WINDOWS\WINCMD.INI
2010-04-03 21:49:59 ----D---- C:\WINDOWS\system32
2010-04-03 21:49:59 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-04-03 21:48:37 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-25 27408]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-09-15 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-25 48560]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 NetworkX;NetworkX; C:\WINDOWS\system32\ckldrv.sys [1999-06-18 24736]
R1 RsvLock;RsvLock; C:\WINDOWS\system32\drivers\RsvLock.sys [2008-10-01 12528]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-09-15 94160]
R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2008-12-04 62336]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2008-08-04 11904]
R2 TPPORT;TPPORT; C:\WINDOWS\system32\drivers\TPPORT.sys [2004-10-08 6796]
R3 Accelerometer;HP Accelerometer; C:\WINDOWS\system32\DRIVERS\Accelerometer.sys [2008-05-23 28592]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2008-04-11 338944]
R3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2007-07-13 94976]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2006-11-28 1161888]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-25 23120]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-05-09 2880512]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2008-04-03 879624]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HBtnKey;HBtnKey; C:\WINDOWS\system32\DRIVERS\cpqbttn.sys [2008-04-28 9344]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HpqKbFiltr;HpqKbFilter Driver; C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys [2007-06-18 16768]
R3 NETw5x32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw5x32.sys [2008-12-04 3632384]
R3 seehcri;Sony Ericsson seehcri Device Driver; C:\WINDOWS\system32\DRIVERS\seehcri.sys [2008-01-09 27632]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2008-04-10 1804160]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-12-04 225696]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2008-04-04 296320]
S3 a0pfism3;a0pfism3; C:\WINDOWS\system32\drivers\a0pfism3.sys []
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2010-02-28 792064]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2008-04-03 74688]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 cglptnt;cglptnt; \??\C:\Program Files\totalcmd\cglptnt.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM); C:\WINDOWS\system32\DRIVERS\s3017bus.sys [2007-12-10 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s3017mdfl.sys [2007-12-10 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s3017mdm.sys [2007-12-10 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\s3017mgmt.sys [2007-12-10 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS); C:\WINDOWS\system32\DRIVERS\s3017nd5.sys [2007-12-10 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\s3017obex.sys [2007-12-10 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM); C:\WINDOWS\system32\DRIVERS\s3017unic.sys [2007-12-10 110120]
S3 SCR3XX2K;SCR3xx USB SmartCardReader; C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys [2007-06-21 56448]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;usbccgp; C:\WINDOWS\system32\drivers\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-13 121984]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2007-01-17 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2007-01-17 82944]
S4 atapi;atapi; C:\WINDOWS\system32\drivers\atapi.sys [2008-04-13 96512]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 accoca;ActivClient Middleware Service; c:\Program Files\ActivIdentity\ActivClient\accoca.exe [2007-11-27 185896]
R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\WINDOWS\system32\agrsmsvc.exe [2006-10-05 9216]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]
R2 ASBroker;Logon Session Broker; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 ASChannel;Local Communication Channel; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-11-25 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-05-08 536576]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-11-25 138680]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2008-03-31 264800]
R2 Crypkey License;Crypkey License; C:\WINDOWS\system32\crypserv.exe [1999-06-18 66560]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2008-08-20 860160]
R2 HpFkCryptService;Drive Encryption Service; c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2008-10-01 256544]
R2 HPFSService;File Sanitizer for HP ProtectTools; C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe [2008-05-02 77824]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2008-06-20 354840]
R2 ICQ Service;ICQ Service; C:\Program Files\ICQ6Toolbar\ICQ Service.exe [2008-10-19 222456]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-11 153376]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 OMSI download service;Sony Ericsson OMSI download service; C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
R2 pdfcDispatcher;PDF Document Manager; C:\Program Files\PDF Complete\pdfsvc.exe [2008-05-12 576024]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2008-08-20 466944]
R2 S24EventMonitor;Intel® PROSet/Wireless WiFi Service; C:\Program Files\Intel\WiFi\bin\S24EvMon.exe [2008-08-20 905216]
R2 UPHClean;User Profile Hive Cleanup; C:\Program Files\UPHClean\uphclean.exe [2005-04-27 241725]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-11-25 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-11-25 352920]
R3 Com4QLBEx;Com4QLBEx; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2008-05-01 165192]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]
S2 gupdate1c995b2fc59242c;Google Update Service (gupdate1c995b2fc59242c); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-23 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-16 183280]
S3 aspnet_state;Stavová služba ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 HP ProtectTools Service;HP ProtectTools Service; c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [2008-10-07 45056]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Služba Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Služba sdílení portů Net.Tcp; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

[vazny]

Nemá smysl to radši reinstalovat?

[Caroprd111]

Zdravím


Vložte mi sem přesné cesty souborů, které hlásí Avast jako infikované.


Stáhněte a uložte, nejlépe na plochu http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Vypněte všechny rezidentní bezpečnostní programy - firewally, antiviry, antispywary
• Spusťte aplikaci pod účtem s oprávněním Administrátora (Správce), ihned po startu se zobrazí stránka s licenčními podmínkami, pokračujte stisknutím tlačítka "Ano"
• Dále postupujte dle pokynů, během scanu nespouštějte jiné aplikace a neklikejte do zobrazujícího se okna
• Scan by měl trvat okolo 5 - 10 minut, po dokončení Combofix zobrazí log C:\ComboFix.txt , který sem vložte.
• Během skenování může být počítač restartován.

[vazny]

Vybrané řádky z AVASTu, mj. AVAST mi označil i ComboFix.exe jako trojana... Rozumím správně že je třeba AVAST vypnout před spuštěním...
----------------------------------------------------------------------------------------------------------------------------------------

10/10/2009 5:55:17 PM SYSTEM 596 Virus "HTML:Illiframe-C [Trj]" byl nalezen v souboru "http://www.combatant.cz/cz/\{gzip}".
10/10/2009 5:56:59 PM SYSTEM 596 Virus "HTML:Illiframe-C [Trj]" byl nalezen v souboru "http://www.combatant.cz/cz/\{gzip}".
10/10/2009 5:57:06 PM SYSTEM 596 Virus "HTML:Illiframe-C [Trj]" byl nalezen v souboru "http://www.combatant.cz/cz/\{gzip}".
11/1/2009 6:21:08 PM admin 4004 Virus "Win32:Malware-gen" byl nalezen v souboru "C:\Documents and Settings\admin\Desktop\Instalačňáky\pet223cz.exe".
11/1/2009 6:50:47 PM admin 4004 Virus "Win32:Adware-gen [Adw]" byl nalezen v souboru "C:\Temp\Wyno3GnG.exe.part".
11/3/2009 7:34:51 PM admin 4948 Virus "Win32:SpyBot-A2633 [Trj]" byl nalezen v souboru "E:\Start.exe".
12/27/2009 2:36:32 PM SYSTEM 908 Virus "JS:Redirector-AM [Trj]" byl nalezen v souboru "http://www.filmy-ke-shlednuti.net/upload/warning.jpg".
1/15/2010 5:12:24 PM SYSTEM 852 Virus "VBS:Malware-gen" byl nalezen v souboru "G:\Autorun.inf".
1/15/2010 5:12:53 PM SYSTEM 852 Virus "Win32:Downloader-ARK [Trj]" byl nalezen v souboru "G:\desktop.dll".
2/28/2010 5:45:31 PM SYSTEM 492 Virus "VBS:Malware-gen" byl nalezen v souboru "C:\WINDOWS\system32\fjhdyfhsn.bat".
2/28/2010 5:45:40 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINDOWS\system32\drivers\aec.sys".
2/28/2010 5:45:58 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINDOWS\system32\drivers\aec.sys".
2/28/2010 5:46:39 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINDOWS\system32\drivers\asyncmac.sys".
2/28/2010 5:46:53 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINDOWS\system32\drivers\atmarpc.sys".
2/28/2010 5:46:55 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\temp\bfastfao.sys".
2/28/2010 5:46:59 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\Temp\bfastfao.sys".
2/28/2010 5:48:06 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINDOWS\system32\drivers\btaudio.sys".
2/28/2010 5:49:52 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINDOWS\system32\drivers\bthenum.sys".
2/28/2010 5:50:03 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINDOWS\system32\drivers\bthpan.sys".
2/28/2010 5:50:15 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINDOWS\system32\DRIVERS\bthpan.sys".
2/28/2010 5:50:22 PM SYSTEM 492 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINDOWS\system32\drivers\bthport.sys".
4/4/2010 9:45:27 AM SYSTEM 520 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINDOWS\system32\drivers\bthport.sys".
4/4/2010 5:47:03 PM admin 532 Virus "Win32:Rbot-GOV [Trj]" byl nalezen v souboru "C:\Documents and Settings\admin\Desktop\ComboFix.exe".
4/4/2010 5:47:59 PM admin 532 Virus "Win32:Rbot-GOV [Trj]" byl nalezen v souboru "C:\Documents and Settings\admin\Desktop\ComboFix.exe".

[Caroprd111]

Ano, Avast před spuštěním ComboFixu musíte vypnout.

[vazny]

Log z ComboFixu: Bohužel se mi nepodařilo rozchodit ani jednu v době scanu funkční cestu do sítě, takže si nedokázal stáhnout rec. consoli. Po skončení se mi už povedlo zprovoznit wifi s tím, že jsem doma zrušil WPA a zároveň převedl wifi z Intelského ovládacího toolu(zřejmě nabouraný) na standardní winxp.
Takže příští kolo je možné i s konzolí.
--------------------------------------------


ComboFix 10-04-03.02 - admin 04/04/2010 22:15:51.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1033.18.2043.1389 [GMT 2:00]
Spuštěný z: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100228-1] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\admin\Application Data\avdrn.dat
c:\documents and settings\admin\Application Data\FunWebProducts
c:\documents and settings\admin\Application Data\FunWebProducts\Data\admin\avatar.dat
c:\documents and settings\admin\Application Data\FunWebProducts\Data\admin\outfit.dat
c:\documents and settings\admin\Application Data\FunWebProducts\Data\admin\zbucks.dat
c:\documents and settings\admin\Start Menu\Programs\Startup\winesm32.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\00261AB3.urr
c:\program files\FunWebProducts\Shared\001D52B6.dat
c:\windows\AppPatch\AcAdProc.dll
c:\windows\regsvr32.exe

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-03-04 do 2010-04-04 )))))))))))))))))))))))))))))))
.

2010-04-04 07:49 . 2010-04-04 07:49 -------- d-----w- c:\program files\trend micro
2010-04-04 07:49 . 2010-04-04 07:49 -------- d-----w- C:\rsit
2010-04-04 07:49 . 2010-04-04 07:49 -------- d-----w- c:\temp\WPDNSE

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 20:24 . 2010-02-08 16:07 -------- d-----w- c:\documents and settings\admin\Application Data\Skype
2010-04-04 15:46 . 2009-12-26 20:33 -------- d-----w- c:\documents and settings\admin\Application Data\skypePM
2010-04-03 19:48 . 2009-04-16 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-28 16:50 . 2008-12-25 19:03 792064 ----a-w- c:\windows\system32\drivers\bthpan.sys
2010-02-28 16:07 . 2008-12-31 21:53 -------- d-----w- c:\documents and settings\admin\Application Data\ICQ
2010-02-25 19:36 . 2009-04-14 17:16 -------- d-----w- c:\documents and settings\admin\Application Data\Ahead
2010-02-19 08:34 . 2008-12-04 07:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-19 08:34 . 2009-07-07 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-18 19:20 . 2009-05-07 10:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-18 19:11 . 2009-03-08 14:06 -------- d-----w- c:\program files\Multi_Media
2010-02-08 16:34 . 2010-02-08 16:29 -------- d-----w- c:\documents and settings\admin\Application Data\DAEMON Tools Lite
2010-02-08 16:30 . 2010-02-08 16:30 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-02-08 16:30 . 2008-12-25 11:29 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-08 16:29 . 2010-02-08 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-02-08 16:07 . 2010-02-08 16:07 -------- d-----w- c:\program files\Common Files\Skype
2010-02-08 16:07 . 2010-02-08 16:07 -------- d-----r- c:\program files\Skype
2010-02-08 16:07 . 2009-12-26 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-08 06:20 . 2009-02-20 09:14 -------- d-----w- c:\program files\Google
2010-01-23 23:06 . 2008-12-04 07:39 66000 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-10-19 187192]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2009-10-19 15:15 1345336 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\lclock.exe" [2004-09-19 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-16 39408]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-03 1310720]
"VisualTooltip"="c:\program files\Utilities\VisualTooltip\VisualToolTip.exe" [2006-12-27 955904]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-06-09 82224]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-05-12 318488]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-20 178712]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2008-05-02 10244096]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-27 298536]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-10-07 349488]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-09-23 24848]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-05 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-10-20 111928]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-29 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-11-27 16:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-11-27 16:40 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2008-09-23 07:07 158992 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"d:\\Games\\Metin2_TESTER\\metin2.bin"=
"d:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"d:\\Games\\Metin2_TESTER\\metin2client.bin"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"d:\\Program Files\\XIII\\system\\XIII.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Cenega Czech\\VIETCONG\\vietcong.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [10/1/2008 4:01 PM 109216]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/1/2008 4:02 PM 51408]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [10/1/2008 4:02 PM 12960]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [12/4/2008 1:23 AM 24064]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/25/2008 1:29 PM 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/3/2009 7:37 PM 114768]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [10/1/2008 4:02 PM 12528]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [11/27/2007 6:42 PM 185896]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:00 PM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:00 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/3/2009 7:37 PM 20560]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [10/1/2008 4:01 PM 256544]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [12/4/2008 12:28 PM 77824]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [12/31/2008 11:54 PM 222456]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [12/5/2009 10:49 AM 90112]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [12/4/2008 9:43 AM 576024]
R2 TPPORT;TPPORT;c:\windows\system32\drivers\TPPORT.SYS [12/7/2008 5:35 PM 6796]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [12/4/2008 9:39 AM 193840]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [12/5/2009 10:50 AM 27632]
S2 gupdate1c995b2fc59242c;Google Update Service (gupdate1c995b2fc59242c);c:\program files\Google\Update\GoogleUpdate.exe [2/23/2009 2:33 PM 133104]
S3 cglptnt;cglptnt;c:\program files\totalcmd\CGLPTNT.SYS [12/4/2008 9:21 AM 7888]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [10/7/2008 3:17 PM 45056]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [8/30/2009 6:16 PM 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [8/30/2009 6:16 PM 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [8/30/2009 6:16 PM 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [8/30/2009 6:16 PM 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [8/30/2009 6:16 PM 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [8/30/2009 6:16 PM 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [8/30/2009 6:16 PM 110120]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [6/21/2007 5:40 AM 56448]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Obsah adresáře 'Naplánované úlohy'

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-04-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-20 10:05]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-23 12:33]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-23 12:33]

2010-04-04 c:\windows\Tasks\User_Feed_Synchronization-{1307A713-10D0-4BB9-926D-E1A68A97C2A0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{230D1201-7607-4CF6-A11F-9E4BF0A333E0} - {0DB13731-CEFD-43CF-A8FD-B61DCBC4D5B8} - c:\program files\Eurotran XP\etnxp.dll
IE: {{2C73F784-D2DE-4422-B070-2E3332FE5744} - {0320AC26-52C8-4316-B2C4-24BB6FA73C9A} - c:\program files\Eurotran XP\etnxp.dll
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t2lbmc9d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Seznam
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage|http:// ... om/firefox
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp? ... searchfor=
FF - component: c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t2lbmc9d.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

URLSearchHooks-{7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\TorrentMan\tbTor1.dll
URLSearchHooks-{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\MyPlayCity\tbMyP1.dll
BHO-{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\MyPlayCity\tbMyP1.dll
BHO-{7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\TorrentMan\tbTor1.dll
Toolbar-{7c5c0f58-e061-457d-9033-77307f5ed00c} - c:\program files\TorrentMan\tbTor1.dll
Toolbar-{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\MyPlayCity\tbMyP1.dll
WebBrowser-{7C5C0F58-E061-457D-9033-77307F5ED00C} - c:\program files\TorrentMan\tbTor1.dll
WebBrowser-{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC} - c:\program files\MyPlayCity\tbMyP1.dll
HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
AddRemove-Atf - d:\program files\All Ten Fingers\uninstall.exe
AddRemove-EADM - c:\program files\Electronic Arts\EADM\Uninstall.exe
AddRemove-EssentialPIM - d:\program files\EssentialPIM\uninstall.exe
AddRemove-FINAL FANTASY VIII Demo - d:\Uninst.isu
AddRemove-GameSpy Arcade - c:\progra~1\GAMESP~1\UNWISE.EXE
AddRemove-GLVIEW - d:\program files\realtech VR\OpenGL Extensions Viewer\uninst.exe
AddRemove-Guess Who - c:\program files\Hasbro Interactive\Guess Who\Uninst.isu
AddRemove-Java Adapter Expert Edition_is1 - d:\program files\JAM_EE\unins000.exe
AddRemove-NOVINÁR JUNIOR - c:\program files\Fragment\Reporter\DeIsL1.isu
AddRemove-The KMPlayer - d:\program files\The KMPlayer\uninstall.exe
AddRemove-The One Ring 3D Screensaver_is1 - c:\program files\The One Ring 3D Screensaver\unins000.exe
AddRemove-TV3D65_is1 - d:\program files\TV3D SDK 6.5\unins000.exe
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files\DivX\DivXPlayerUninstall.exe
AddRemove-{B7050CBDB2504B34BC2A9CA0A692CC29} - c:\program files\DivX\DivXWebPlayerUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 22:22
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys iaStor.sys spuv.sys >>UNKNOWN [0x8A756938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7253cb8
\Driver\iaStor -> iaStor.sys @ 0xf716e760
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7026bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7015a0d
SendHandler -> NDIS.sys @ 0xf7029b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\accrypto.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
c:\windows\system32\msi.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\itmsg.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\windows\system32\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

- - - - - - - > 'explorer.exe'(7812)
c:\windows\system32\WININET.dll
c:\program files\SweetIM\Messenger\mgAdaptersProxy.dll
c:\program files\Utilities\VisualTooltip\VisualTooltip.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\program files\LClock\LC.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe
c:\windows\system32\crypserv.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Celkový čas: 2010-04-04 22:26:34 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-04 20:26

Před spuštěním: 853,422,080 bytes free
Po spuštění: 3,689,959,424

- - End Of File - - 68771E3B716FABDC8082C63AC302779D

[Caroprd111]

Tohle otestujte na http://www.virustotal.com/cs/
C:\WINDOWS\system32\drivers\aec.sys
C:\WINDOWS\system32\drivers\asyncmac.sys
C:\WINDOWS\system32\drivers\atmarpc.sys
C:\WINDOWS\system32\drivers\btaudio.sys
C:\WINDOWS\system32\drivers\bthenum.sys
C:\WINDOWS\system32\drivers\bthpan.sys
C:\WINDOWS\system32\drivers\bthport.sys
c:\windows\system32\drivers\TPPORT.SYS

(Soubor nehledejte, jenom vložíte tučně označenou cestu, v případě hlášky "Soubor již byl testován" dejte otestovat znovu. Výsledek analýzy sem v podobě odkazu vložte.)

[vazny]

Nahrát na http://www.virustotal.com/cs/ se mi to zatím nepodařilo, protože internet na tom nb běhá zoufale pomalu. Dřívě spadne sešna v IE i v chrome (co tam maj) než to tam dostanu. Může to být mým wifi-routerem (DLINK), poškozením driverů i třeba tím, že tam běží jiný virový provoz. (Doufám, že mne provider nezavře nějaké porty kvůli spamu...) Zatím jsem neměl odvahu to nějak sledovat z jiného počítače domácí sítě, když tam běžel tenhle, měl jsem vše totálně odpojené...

Pevná síť se také nepřipojí, nedostane z dhcp IP adresu a ani při nastavění fixní adresy a DNS to nezačlo komunikovat, nedostává packets, ale jiný počítač v té samé zásuvce se stejným kabelem chodil. (Mám úplně nově udělanou strukturovanou kabeláž po novém bytu, takže ještě nedokážu plně ručit za funkčnost, s routerem DLINKem mám taky poměrně nedobrou zkušenost - občas musím i pevný komp vyndat a zandat do zásuvky, dělal mi to i původní ADSL router a pak mu odešly porty v záruce. Nechápu jak jsem si ho mohl znova koupit...)

Mám ty soubory opatrně překopírovat a zkusit je nahrát přes flashku?

Přes noc jsem nechal běžet avast, kterému jsem vnutil ručně aktualizace sw i db a ten několikrát spadl...

Zkoušel jsem úplný běh ComboFixu s recovery consolí, ale bez exploreru a jeho lišty nedokážu po restartu Combofixu obnovit wifi připojení. Takže přikládám log zase z jednoho běhu neúplného...

[vazny]

Tak ještě ten log
ComboFix 10-04-03.02 - admin 04/05/2010 16:14:19.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1033.18.2043.1483 [GMT 2:00]
Spuštěný z: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100405-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-03-05 do 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 14:20 . 2010-04-05 14:20 -------- d-----w- c:\temp\WPDNSE
2010-04-05 14:20 . 2010-04-05 14:20 53248 ----a-w- c:\temp\catchme.dll
2010-04-05 13:43 . 2010-04-05 13:43 -------- d-----w- C:\TCPView
2010-04-04 21:07 . 2008-04-13 17:51 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys
2010-04-04 21:07 . 2008-04-13 17:51 101120 ----a-w- c:\windows\system32\dllcache\bthpan.sys
2010-04-04 07:49 . 2010-04-04 07:49 -------- d-----w- c:\program files\trend micro
2010-04-04 07:49 . 2010-04-04 07:49 -------- d-----w- C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 14:22 . 2010-02-08 16:07 -------- d-----w- c:\documents and settings\admin\Application Data\Skype
2010-04-05 14:22 . 2009-12-26 20:33 -------- d-----w- c:\documents and settings\admin\Application Data\skypePM
2010-04-04 20:49 . 2009-04-16 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-28 16:07 . 2008-12-31 21:53 -------- d-----w- c:\documents and settings\admin\Application Data\ICQ
2010-02-25 19:36 . 2009-04-14 17:16 -------- d-----w- c:\documents and settings\admin\Application Data\Ahead
2010-02-19 08:34 . 2008-12-04 07:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-19 08:34 . 2009-07-07 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-18 19:20 . 2009-05-07 10:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-18 19:11 . 2009-03-08 14:06 -------- d-----w- c:\program files\Multi_Media
2010-02-08 16:34 . 2010-02-08 16:29 -------- d-----w- c:\documents and settings\admin\Application Data\DAEMON Tools Lite
2010-02-08 16:30 . 2010-02-08 16:30 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-02-08 16:30 . 2008-12-25 11:29 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-08 16:29 . 2010-02-08 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-02-08 16:07 . 2010-02-08 16:07 -------- d-----w- c:\program files\Common Files\Skype
2010-02-08 16:07 . 2010-02-08 16:07 -------- d-----r- c:\program files\Skype
2010-02-08 16:07 . 2009-12-26 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-08 06:20 . 2009-02-20 09:14 -------- d-----w- c:\program files\Google
2010-01-23 23:06 . 2008-12-04 07:39 66000 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-10-19 187192]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2009-10-19 15:15 1345336 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\lclock.exe" [2004-09-19 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-16 39408]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-03 1310720]
"VisualTooltip"="c:\program files\Utilities\VisualTooltip\VisualToolTip.exe" [2006-12-27 955904]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-06-09 82224]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-05-12 318488]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-20 178712]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2008-05-02 10244096]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-27 298536]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-10-07 349488]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-09-23 24848]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-05 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-10-20 111928]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-29 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-11-27 16:41 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-11-27 16:40 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2008-09-23 07:07 158992 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [10/1/2008 4:01 PM 109216]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/1/2008 4:02 PM 51408]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [10/1/2008 4:02 PM 12960]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [12/4/2008 1:23 AM 24064]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/25/2008 1:29 PM 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/3/2009 7:37 PM 114768]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [10/1/2008 4:02 PM 12528]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [11/27/2007 6:42 PM 185896]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:00 PM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:00 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/3/2009 7:37 PM 20560]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [10/1/2008 4:01 PM 256544]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [12/4/2008 12:28 PM 77824]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [12/31/2008 11:54 PM 222456]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [12/5/2009 10:49 AM 90112]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [12/4/2008 9:43 AM 576024]
R2 TPPORT;TPPORT;c:\windows\system32\drivers\TPPORT.SYS [12/7/2008 5:35 PM 6796]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [12/4/2008 9:39 AM 193840]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [12/5/2009 10:50 AM 27632]
S2 gupdate1c995b2fc59242c;Google Update Service (gupdate1c995b2fc59242c);c:\program files\Google\Update\GoogleUpdate.exe [2/23/2009 2:33 PM 133104]
S3 cglptnt;cglptnt;c:\program files\totalcmd\CGLPTNT.SYS [12/4/2008 9:21 AM 7888]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [10/7/2008 3:17 PM 45056]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [8/30/2009 6:16 PM 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [8/30/2009 6:16 PM 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [8/30/2009 6:16 PM 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [8/30/2009 6:16 PM 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [8/30/2009 6:16 PM 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [8/30/2009 6:16 PM 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [8/30/2009 6:16 PM 110120]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [6/21/2007 5:40 AM 56448]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Obsah adresáře 'Naplánované úlohy'

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-04-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-20 10:05]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-23 12:33]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-23 12:33]

2010-04-05 c:\windows\Tasks\User_Feed_Synchronization-{1307A713-10D0-4BB9-926D-E1A68A97C2A0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{230D1201-7607-4CF6-A11F-9E4BF0A333E0} - {0DB13731-CEFD-43CF-A8FD-B61DCBC4D5B8} - c:\program files\Eurotran XP\etnxp.dll
IE: {{2C73F784-D2DE-4422-B070-2E3332FE5744} - {0320AC26-52C8-4316-B2C4-24BB6FA73C9A} - c:\program files\Eurotran XP\etnxp.dll
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t2lbmc9d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Seznam
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage|http:// ... om/firefox
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp? ... searchfor=
FF - component: c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t2lbmc9d.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 16:20
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys iaStor.sys spyv.sys >>UNKNOWN [0x8A75A938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7253cb8
\Driver\iaStor -> iaStor.sys @ 0xf716e760
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7026bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7015a0d
SendHandler -> NDIS.sys @ 0xf7029b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\accrypto.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
c:\windows\system32\msi.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\itmsg.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\windows\system32\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

- - - - - - - > 'explorer.exe'(4312)
c:\windows\system32\WININET.dll
c:\program files\SweetIM\Messenger\mgAdaptersProxy.dll
c:\program files\Utilities\VisualTooltip\VisualTooltip.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\LClock\LC.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Celkový čas: 2010-04-05 16:23:58 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-05 14:23
ComboFix2.txt 2010-04-04 20:26

Před spuštěním: 3,765,706,752 bytes free
Po spuštění: 3,723,255,808

- - End Of File - - 30E8104C7C5B3A61112265CEE2DD46C2

[Caroprd111]

Soubory na otestování vynechte.


Máte instalační CD Vaší verze Windows


Stáhněte MBAM http://www.viry.cz/forum/viewtopic.php?f=29&t=67229

• Podle návodu v odkazu nainstalujte, poté dejte úplný sken.
• Nic nemažte MBAM má občas falešné detekce a mohl by smazat např. systémové soubory.
• Log vložte sem.

[vazny]

Teprve v tomto týdnu jsem se dostal k pokračování.

Bohužel, ač se jedná zřejmě o OEM verzi WinXP Prof Cz SP3 (čili licence je svázaná s kompem, čili nutně legální - když vynecháme úvahy MS o povinnosti předat knížky atd.), tak díky koupi kompu z druhé ruky nemají instalačku. (PKID mám jak z nálepky, tak z toolu.) Ale mám CD FPP WixXP En Prof a OEM WinXP Home Cz SP3.


MBAM nedoběhl ve full scanu, budu to pouštět po kouskách, ale mám výsledky rychlého scanu, ale bez aktualizace, stroj se mi nepřipojí zatím k síti.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Verze databáze: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/15/2010 9:52:49 PM
mbam-log-2010-04-15 (21-52-49).txt

Typ skenu: Rychlý sken
Skenované objekty: 104201
Uplynulý čas: 5 minuta(y), 56 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 3
Infikované hodnoty registru: 0
Infikované datové položky registru: 1
Infikované složky: 0
Infikované soubory: 0

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
(Žádné škodlivé položky nebyly zjištěny)

Díky.

[Caroprd111]

Vše, co našel MBAM smažte a zkuste spustit úplný sken v nouzovém režimu.

[vazny]

Tak jsem to projel MBAM, nalezlo to několik dalších infekcí v souborech co jasně nebyly systémové, tak jsem je nechal odstranit.

Typ skenu: Rychlý sken
Infikované klíče registru:
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Infikované datové položky registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Typ skenu: Úplný sken
C:\Documents and Settings\admin\Desktop\Downloadery\ZwinkySetup2.3.50.56.ZJfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7D10C4BC-6D00-438A-AF2A-744F057D3E65}\RP3\A0007463.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtServicePackUninstall$\logonui.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

Přesto to v dalším scanu znovu zatuhlo těsně před koncem. Ale při vypnutém avastu se scan MBAMem povedl již bez problémů.

Už mám zřejmě příslušnou instalačku OEM (náhradní medium).

Díky

Vážný

[vazny]

Ještě přilkládám úspěšný scan z ComboFixu.

http://www.uschovna.cz/vyzvednout1.php/ ... 90b09da252
Během běhu mi explorer.exe ohlásil neplatnou instrukci a zrestartoval se, ale ComboFix doběhl.
Díky.

[Caroprd111]

Odinstalujte všechny emulátory virtuálních mechanik.

Stáhněte SPTD http://www.duplexsecure.com/en/downloads

• Vyberte verzi podle svého operačního systému (64 & 32b). Uložte na plochu a spusťte.
• zvolte možnost Uninstall a restartujte PC.

Stáhněte a spusťte http://www.jpshortstuff.247fixes.com/Defogger.exe

• Klikněte na "Disable" a restartujte PC.

Stáhněte MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Start > Spustit (Win + R)

• Vyskočí okénko, zkopírujte do něj:

Kód: Vybrat vše

"%userprofile%\plocha\mbr" -t

• Klikněte na OK

• Vytvoří se log s názvem mbr.log, vložte ho sem.

Dejte log z Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878